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1.0  Introduction 

The  Military  Healthcare  System  (MHS)  has  fully  embraced  digital  imaging  technologies. 
Picture  Archiving  and  Communications  Systems  (PACS)  allow  for  the  archiving  and 
management  of  these  images  across  different  Military  Treatment  Facilities  (MTFs).  To 
date,  the  Services  have  invested  over  $400M  procuring  and  deploying  PACS  and 
Teleradiology  systems  and  have  produced  approximately  four  million  procedures  per 
year.  Local  MTFs  are  finding  it  increasingly  difficult  to  cope  with  continued  image 
management  requirements,  in  terms  of  space  and  funding.  They  are  also  struggling  to 
manage  these  increasingly  large  and  complex  PACS  networks,  in  particular  when  it 
comes  to  dealing  with  network  security.  Two  workshops  have  been  organized  around 
each  of  these  topics  with  the  intent  of  defining  the  issues  and  determining  potential 
solutions.  In  general,  the  workshops  were  designed  to  bring  together  government,  in 
particular  from  the  Department  of  Defense  (DoD),  academia  and  industry  to  insure  a 
broad  view  of  the  issues  and  subsequently,  to  recommend  a  comprehensive  solution. 
Specifically,  the  “Open  Source  Universal  PACS  Archive”  workshop  focused  on  current 
challenges  and  potential  solutions  to  the  management  of  images  and  other  clinical 
information  in  multi-center  settings  while  the  purpose  of  the  Network  Security  for  Medical 
Devices  and  Systems  workshop  was  to  review  and  assess  emergent  issues  and 
operational  impacts  related  to  the  imposition  of  non-medical  Information  Assurance  (lA) 
and  network  security  processes  to  the  healthcare  delivery  domain. 

2.0  Open  Source  Universal  PACS  Archive  Workshop 

The  Open  Source  Universal  PACS  Archive  Workshop  was  renamed  as  the  Multi-Center 
Image  Management  (MCIM)  Workshop.  It  was  held  on  March  6-9,  2006  at  the 
Renaissance  Hotel  and  Resort  in  Las  Vegas,  Nevada.  The  objective  of  the  workshop 
was  to  explore  the  gap  of  current  PACS  systems  and  future  directions  and  discuss 
possible  solutions  with  open  source  as  a  potential  vehicle  to  achieve  them  as  well  as  a 
Grid  Computing  architecture  to  support  them.  However,  as  the  workshop  progressed,  it 
became  evident  that  the  presented  challenges  and  solutions  are  relevant  not  just  to 
image  management  but  to  information  management  in  general.  For  two  days, 
approximately  60  subject  matter  experts  and  practitioners  from  academia,  government 
and  industry  met  to  discuss  current  challenges  and  potential  open  solutions  to  the 
management  of  information  in  multi-center  settings.  The  workshop  consisted  of  a  series 
presentations  aimed  at  providing  a  base-line  understanding  of  the  current  challenges.  It 
also  focused  on  open  source  as  a  potential  solution  with  examples  of  robust  open 
source  projects  and  software  methodologies.  Several  examples  of  successful  business 
models  for  maintaining  the  development  effort  were  described  and  the  importance  of 
long  term  sustainability  beyond  initial  government  funding  was  discussed.  An  open 
source  approach  was  also  introduced  as  a  new  model  for  collaboration  between 
academia,  industry  and  government. 

2.1  Problem  definition  -  what  is  the  problem  we  are  trying  to  solve? 

The  information  requirements  for  a  biomedical  research  environment  are  markedly 
different  from  the  clinical  environment.  Commercial  medical  information  and  imaging 
systems  are  designed  to  support  efficient  clinical  operations  within  a  single  organization 
whereas  researchers  need  to  be  able  to  integrate  research  data  with  clinical  data  often 
residing  in  multiple  distributed  information  repositories.  The  information  management 
components  for  research  must  be  able  to  handle  more  complex  queries,  data  mining  and 
a  broad  spectrum  of  data  types  beyond  routine  clinical  data  [1].  This  gap  between 
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clinical  and  research  requirements  prevents  the  efficient  exchange,  sharing, 
management,  and  analysis  of  multimedia  medical  information  such  as  clinical 
information,  images,  and  bioinformatics  data  as  well  as  proteomics  data  sets, 
significantly  impacting  the  capability  to  translate  research  into  clinical  outcomes.  Thus, 
while  hospitals  and  research  communities  are  collecting  unprecedented  amounts  of 
clinical  data  and  research  data,  the  ability  to  data  mine  these  rich  collections  to  support 
research  is  limited  within  an  institution  and  is  essentially  nonexistent  across  institutions. 
Bioinformatics  and  proteomics  data  have  become  increasingly  important  in  clinical 
research  but  there  are  not  efficient  ways  to  incorporate  these  data  with  clinical 
information.  Multi-center  clinical  trials  are  common  activities  yet  many  of  the  trials  are 
still  managed  manually  and  cannot  optimize  the  value  that  a  multi-center  model 
represents.  Each  of  these  issues  is  a  direct  result  of  the  inability  to  exchange 
multimedia  clinical  data  and  research  information  across  different  organizations  and 
functional  environments  and  impedes  the  ultimate  goal  of  improving  patient  outcomes. 

The  current  situation  calls  for  innovative  solutions  that  engage  a  broad  community  of 
users.  Using  an  open  source  and  open  architecture  framework  would  allow  rapid 
implementation  of  scalable  and  robust  software  development  in  a  cost  effective  manner 
by  a  community  of  users  from  academia,  industry  and  government. 

2.2  Possible  solution  -  open  source  approach 

Adopting  an  approach  that  includes  open  source  software  and  an  open  architecture  is 
essential  to  a  solution  that  can  bridge  the  information  management  gap  between 
functional  environments  within  an  institution  and  across  multiple  institutions.  An  open 
source  framework  supports  rapid  software  development  while  open  architecture 
encourages  interoperability  across  different  environments.  An  open  methodology  for  this 
effort  will  encourage  development  and  implementation  of  software  applications  that  can 
expedite  translational  research  in  a  multi-center  setting. 

Open  source  software  development  has  become  a  cultural  as  well  as  an  economic 
phenomenon  within  the  information  technology  (IT)  community.  It  efficiently  harnesses 
global  skills  and  resources,  resulting  in  accelerated  research  and  development.  Open 
source  initiatives  encourage  high  level  technical  communication,  provide  conventions  for 
interoperable  software  development,  establish  a  baseline  for  improvement,  open  the 
field  to  “beginners”,  and  create  common  ground  for  product  development  [2].  There  is 
also  a  growing  body  of  evidence  that  open  source  software  produces  more  robust  code 
with  fewer  bugs.  From  a  government  perspective,  the  demand  for  open  access  for 
taxpayer-funded  projects  and  the  need  for  quality  and  performance  in  mission  critical 
applications  is  leading  to  an  increased  demand  for  open  source  solutions  [3].  Within  the 
National  Institutes  of  Health  (NIH)  specifically,  the  requirements  for  accelerating 
discovery  include  promoting  team  science,  lowering  barriers  and  entry  costs,  enabling 
(enforcing)  repeatable  results  and  eliminating  oversight  through  transparency.  An  open 
source  software  tactic  reduces  redundancy  of  research,  enforces  good  research 
practices,  and  enables  sharing  of  ideas  [2].  Overall,  the  open  source  software  concept 
has  the  greatest  potential  for  success  in  developing  tools  that  can  bridge  the  clinical 
information  management  gap  between  the  research  and  clinical  communities. 

2.2.1  Open  solution  in  biomedical  applications 

There  has  been  remarkable  penetration  of  open  source  software  in  medical  imaging 
research  software.  The  Visualization  Toolkit  (VTK)  [4]  and  the  Insight  Toolkit  (ITK)  [5], 
supported  by  the  National  Library  of  Medicine  (NLM)  of  the  NIH  represent  two  large. 
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mature,  and  globally  utilized  open  source  toolkits  that  provide  state-of-the-art  imaging 
architectures  and  algorithms  to  application  developers.  VTK  provides  a  wide  range  of 
advanced  multi-dimensional  visualization  algorithms  including  volumetric  reformat, 
volume  rendering,  and  geometric  surface  rendering  algorithms.  ITK  provides  advanced 
image  processing  algorithms,  with  a  particular  emphasis  on  medical  image  segmentation 
and  image  registration  algorithms.  VTK  and  ITK  were  developed  with  a  strong  emphasis 
on  advanced  computing  technologies  and  software  quality.  The  C++  software 
architecture  of  these  toolkits  has  evolved  over  the  years  to  support  a  wide  range  of 
advanced  algorithms  and  computing  technologies  including  parallel  computing.  In 
addition,  several  computational  tools  and  utilities  have  been  developed  that  facilitate  the 
global  development  of  a  high  quality  toolkit  including  a  cross-platform  build  tool  called 
CMake  and  a  software  quality  dashboard  called  DART.  These  open  source  imaging 
toolkits,  and  their  supporting  tools  and  utilities,  represent  a  large  and  growing  resource 
for  future  open  source  technology  solutions  [6]. 

The  Image-Guided  Surgery  Toolkit  (IGSTK)  [7],  another  project  supported  by  National 
Institute  of  Biomedical  Imaging  and  Bioengineering  at  the  NIH,  is  an  open  source,  cross 
platform,  software  toolkit.  IGSTK  integrates  the  basic  components  needed  in  surgical 
guidance  applications  and  provides  a  common  platform  for  fast  prototyping  and 
development  of  robust  image-guided  applications  [8]. 

In  recent  years,  open  source  software  has  gained  visibility  in  the  healthcare  community. 
Several  lead  projects  include  OpenVistA,  a  patient  information  system  based  on  the 
Veteran  Administration’s  system,  Care2X,  an  integrated  practice  management  solution 
in  Europe  and  Health  Infoway,  a  patient  data-exchange  venture  in  Canada  [9]. 

2.3  Requirements  for  a  successful  open  source  software  framework 

While  a  successful  open  source  software  effort  can  produce  rapid,  innovative  and  cost- 
effective  software  development,  making  it  successful  requires  not  only  an  understanding 
of  the  technical  and  business  requirements  of  an  open  source  software  framework  but 
the  cultivation  of  a  community  of  users  who  can  contribute  and  benefit  from  the 
endeavor. 

2.3.1  Open  architecture  requirements 

An  open  source  software  approach  must  be  coupled  with  an  open  architecture  to  be 
sustainable  in  the  long  run.  “Open"  refers  to  the  process  used  to  develop  standards  that 
achieve  interoperability  where  "architecture"  defines  the  components,  their  organizations 
and  interactions,  and  the  design  philosophy  used  [10].  Standardization  is  critical  for 
creating  interoperable,  portable,  and  reusable  components  and  systems;  it  also 
contributes  to  the  development  of  secure,  robust,  and  scalable  systems.  Grid 
technologies  have  emerged  as  a  component  of  the  national  cyber  infrastructure 
supporting  effective  healthcare  information.  The  underlying  open  grid  services 
architecture  (OGSA)  represents  a  growing  trend  in  systems  architecture.  The  key  to  the 
realization  of  this  Grid  vision  is  standardization,  so  that  the  diverse  components  that 
make  up  a  modern  computing  environment  can  be  discovered,  accessed,  allocated, 
monitored,  accounted  for,  billed  for,  etc...,  and  in  general  managed  as  a  single  virtual 
system — even  when  provided  by  different  vendors  and/or  operated  by  different 
organizations  [11]. 

Grid  applications  in  biomedical  environments  enable  the  creation  and  operation  of 
distributed  communities  across  organizational  boundaries.  Enhanced  collaboration 
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environments,  visualization  tools,  computational  resources  and  storage  capabilities  are 
all  grid  services  upon  which  Virtual  Organizations  can  build  information  infrastructure. 
This  emerging  IT  infrastructure  enables  the  creation,  administration  and  management  of 
image  based  biomedical  information.  [12] 

2.3.2  Technical  requirements  for  an  open  source  software  framework 

Open-source  evangelist  Eric  S.  Raymond  suggests  a  model  for  developing  open  source 
software  known  as  the  Bazaar  model.  He  advocates  that  all  software  should  be 
developed  using  the  bazaar  style,  described  as  "a  great  babbling  bazaar  of  differing 
agendas  and  approaches"  [13].  In  order  to  make  this  model  effective,  Gregorio  Robles 
suggests  the  following  principles  [14]:  (1)  Users  should  be  given  access  to  the  source 
code  of  the  software  and  be  encouraged  to  submit  additions,  code  fixes,  bug  reports, 
documentation  etc....  Having  more  co-developers  increases  the  rate  at  which  the 
software  evolves.  (2)  The  first  version  of  the  software  should  be  released  as  early  as 
possible  so  as  to  increase  one's  chances  of  finding  co-developers  early.  (3)  New  code 
should  be  integrated  as  often  as  possible  so  as  to  avoid  the  overhead  of  fixing  a  large 
number  of  bugs  at  the  end  of  the  project  life  cycle.  (4)  There  should  be  at  least  two 
versions  of  the  software  -  a  development  version  with  more  features  and  a  more  stable 
version  with  fewer  features.  The  development  version  is  for  users  who  want  the 
immediate  use  of  the  latest  features,  and  are  willing  to  accept  the  risk  of  using  code  that 
is  not  yet  thoroughly  tested.  The  users  can  then  act  as  co-developers.  The  stable 
version  offers  the  users  fewer  bugs  but  fewer  features.  (5)  The  general  structure  of  the 
software  should  be  modular  allowing  for  parallel  development.  (6)  There  is  a  need  for  a 
decision  making  structure,  whether  formal  or  informal,  that  makes  strategic  decisions 
depending  on  changing  user  requirements  and  other  factors. 

2.3.3  Distribution  scheme  fora  successful  open  source  software  framework 

As  with  proprietary  software,  open  source  software  is  distributed  under  a  license.  To 
help  establish  some  degree  of  uniformity,  the  Open  Source  Initiative  (OSI)  created  the 
Open  Source  Definition  which  is  a  specification  of  what  must  and  must  not  appear  in  a 
license  in  order  for  the  software  to  be  considered  open  source.  To  meet  the  open  source 
definition,  a  license  must  provide  the  following  features  [15]:  (1)  The  license  shall  not 
restrict  any  party  from  selling  or  giving  away  the  software  as  a  component  of  an 
aggregate  software  distribution  containing  programs  from  several  different  sources.  (2) 
The  program  must  include  source  code,  and  must  allow  distribution  in  source  code  as 
well  as  compiled  form.  (3)  The  license  must  allow  modifications  and  derived  works,  and 
must  allow  them  to  be  distributed  under  the  same  terms  as  the  license  of  the  original 
software.  (4)  The  license  must  not  discriminate  against  any  person  or  group  of  persons. 
(5)  The  license  must  not  restrict  anyone  from  making  use  of  the  program  in  a  specific 
field  of  endeavor.  For  example,  it  may  not  restrict  the  program  from  being  used  in  a 
business,  or  from  being  used  for  genetic  research. 

2.3.4  Sustainability  and  business  models 

Although  an  open  source  software  framework  is  cost  effective,  it  is  not  free.  There  are 
costs  associated  with  the  process.  To  maintain  and  grow  the  effort  requires  a 
sustainability  plan  that  goes  beyond  the  initial  funding  period.  Money  will  not  come  in 
through  traditional  licensing  fees,  thus  other  business  models  need  to  be  considered.  As 
open  source  software  development  has  matured,  a  number  of  business  models  for 
sustainability  have  emerged. 

In  the  service/maintenance  model  companies  sell  support  and  services  around  the  open 
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source  software,  for  example,  Red  Hat  (Linux)  or  Medsphere  (OpenVista).  In  this 
approach,  users  pay  for  support  of  the  software  although  they  may  choose  to  support 
the  software  themselves.  In  another  approach,  the  vendor  provides  an  open  source 
code  base  with  proprietary  add-ons.  Examples  of  this  model  include  Sourcefire  (security) 
and  SugarCRM  (customer  relationship  mgt).  In  a  dual  license  approach,  a  company 
offers  free  use  of  its  software  with  some  limitations,  or  alternatively  offers  commercial 
distribution  rights  and  a  larger  set  of  features  for  a  fee.  Both  the  MySQL  and  Sleepycat 
databases  are  examples  of  a  dual  license  model.  In  the  Aggregation  Model  also  known 
as  the  “Lego”  strategy,  companies  act  as  middlemen  to  assemble  various  open  source 
packages  into  easy-to-use  integrated  units.  SourceLabs  and  SpikeSource  have  adopted 
this  model  [9]. 

2.3.5  New  business  models  for  academia,  industry  and  government 

The  NLM  has  been  one  of  the  champions  of  open  source  software  development.  As  the 
imaging  data  from  the  Visible  Human  Project  were  released  for  public  use,  the  NLM  set 
out  to  “create  a  dynamic,  self-sustaining,  public  domain  and  extensible  toolkit  that  will 
empower  researchers  throughout  the  world  to  develop  new  segmentation  and 
registration  algorithms  and  create  new  applications  that  leverage  the  NLM’s  investment 
in  the  Visible  Human  Male  and  Female  data  sets”  [16].  The  project  produced  the  Insight 
Tool  Kit  after  four  years  and  seven  million  dollars  of  government  funding.  This 
experience  made  it  clear  to  the  government  that  while  open  source  developed  by 
government  grants  may  promote  open  science  and  empower  researchers,  it  is  not  free. 
There  are  costs  associated  with  the  effort  such  as  distribution  of  the  software,  quality 
control  of  the  software,  and  user  support.  In  order  to  cross  the  “valley  of  death”  between 
research  and  successful  technology  transfer,  it  is  imperative  that  an  open  source  effort 
can  be  converted  to  a  financially  sustaining  activity. 

An  open  source  software  approach  offers  a  unique  way  for  academia,  industry,  and 
government  to  work  in  partnership  to  facilitate  rapid  dissemination  of  knowledge  into  the 
commercial  sector  for  wider  applications.  Software  developed  by  the  academic  research 
community,  under  government  sponsorship  can  be  offered  to  the  open  source 
community  for  further  testing  and  development  and  eventual  adoption  by  the  commercial 
industry. 

The  US  Army  Medical  Research  and  Materiel  Command  (USAMRMC),  Telemedicine 
and  Advanced  Research  Center  (TATRC)  is  responsible  for  life  cycle  management  of 
over  500  medical  research  and  development  programs,  with  a  2005  budget  of 
approximately  $300  million.  The  Center’s  research  responsibilities  extend  to  execution 
of  academic,  government  and  industry  programs  in  biomedical  research.  TATRC  is 
currently  developing  a  program  to  improve  the  productivity  in  technology  transfer  from 
research  community  to  the  commercial  sector.  This  program  uses  Triple  Helix  strategies 
involving  academia,  industry  and  government  to  accelerate  technology  implementation. 
The  open  source  approach  is  seen  as  a  potentially  effective  means  of  making  research 
results  available  for  greater  dissemination  through  timely  commercialization  [17]. 

2.4  Recommendations 

At  conclusion  of  the  workshop,  the  participants  acknowledged  the  technology  gaps 
between  commercial  information  systems  that  focus  on  efficient  clinical  operations  within 
a  single  institution  and  the  research  environment  which  requires  flexible  access  to 
multimedia  data  generated  by  different  vendor  products  and  residing  in  multiple 
distributed  repositories.  It  was  further  noted  that  these  gaps  are  not  likely  be  addressed 
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by  the  commercial  community  any  time  soon  as  the  market  for  such  capability  in  the 
current  biomedical  environment  is  very  limited.  The  participants  concluded  that  open 
source,  open  standards,  and  open  architecture  can  be  efficient  methods  of  supporting 
open  science  and  improved  interoperability.  There  was  broad  agreement  that  adequate 
rigor  must  be  incorporated  into  an  open  source  process  in  order  to  meet  the  highest 
standards  of  software  quality  and  that  long  term  sustainability  beyond  initial  government 
funding  requires  strategic  planning.  An  open  source  approach  was  also  introduced  as  a 
new  model  for  collaboration  between  academia,  industry  and  government.  The 
workshop  concluded  that  an  open  source  effort  by  the  research  community  to  develop 
robust,  freely  available  tools  that  meet  the  information  management  needs  of  basic, 
clinical  and  translational  research  is  essential  to  mend  the  gap  between  the  research 
and  clinical  communities. 

Based  on  the  recommendations  of  the  MCIM  workshop,  a  new  consortium  has  been 
formed  to  launch  an  open  source/open  architecture  effort  that  narrows  the  gap  between 
clinical  and  research  needs  by  focusing  on  the  development  of  software  tools  that 
enable  the  efficient  exchange,  sharing,  management,  and  analysis  of  multimedia 
medical  information.  Imaging  and  informatics  experts  at  Georgetown  University, 
Washington  University  in  St.  Louis,  the  Northwestern  University  Feinberg  School  of 
Medicine  and  University  of  Geneva,  Switzerland  have  agreed  to  form  the  Image 
Management  Toolkit  (ImTK)  Consortium.  Collectively  this  consortium  represents 
demonstrated  expertise  in  technology,  clinical  operations,  technology  development,  and 
technology  management  within  the  academic,  government  and  industrial  environment. 

The  mission  of  the  ImTK™  Consortium  is  to  expedite  translational  biomedical  research 
through  the  development  of  software  tools  that  enable  efficient  exchanging,  sharing, 
management,  and  analysis  of  multimedia  medical  information  such  as  clinical 
information,  images,  and  bioinformatics  data.  The  ImTK™  Consortium,  together  with 
partners  in  academia,  industry  and  government,  will  organize  itself  around  four  cores:  1) 
software  tool  development,  2)  open  architecture  and  data  model  implementation,  3) 
knowledge  dissemination,  and  4)  management  and  sustainability.  A  well  managed  open 
source  development  process  has  been  proven  to  produce  high  quality  products  in  a  cost 
efficient  manner  while  simultaneously  developing  a  collaborative  user/developer 
community.  The  ImTK™  technology  initiative  will  not  only  provide  open  source  software 
tools  and  components  but  also  an  open  architecture  in  which  they  may  be  configured 
and  deployed.  The  tools  will  comply  with  existing  standards  such  as  Digital  Imaging  and 
Communications  in  Medicine  (DICOM)  and  Health  Level  Seven  (HL7)  and  build  on  the 
technical  frameworks  and  workflow  defined  by  the  Integrating  the  Healthcare  Enterprise 
(IHE)  initiative.  The  open  architecture  will  draw  on  the  best  practices  of  the  grid 
computing  community  and  service  oriented  architecture.  This  new  effort  will  build  on  the 
expertise,  processes  and  development  tools  used  to  create  ITK  and  VTK.  It  will  also 
bring  insight  and  definition  to  the  role  the  FDA  will  play  in  regulating  open  source  efforts 
in  the  healthcare  arena  [17].  These  processes  will  ensure  the  robustness  of  the  software 
and  extend  the  family  of  toolkits  from  image  analysis  and  visualization  to  multimedia 
information  management,  information  fusion  and  data  mining. 

Under  the  ImTK  Consortium,  three  significant  MClM-related  activities  are  in  development. 

1 .  MCIM  2007  -  On  April  30  -  May  3,  2007,  a  follow  up  workshop  to  the  MCIM  will 
be  held.  Funding  has  been  requested  from  USAMRMC  and  NIBIB.  The 
workshop  will  focus  on  open  source  solutions  for  the  management  of  clinical  and 
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research  information  in  multi-center  settings  and  will  look  especially  to  the 
“imaging  for  biomarker”  community  for  input  on  requirements. 

2.  Research  master  subject  index  (RMSI)  using  web  services-based  patient 
identification  service  (WS/PIDS)  -  The  ImTK  concept  is  to  implement  an  open 
source  development  process  that  will  facilitate  the  rapid  and  robust  development 
of  information  management  tools  that  can  bridge  the  gap  between  the  clinical 
and  research  domain.  Washington  University  in  St.  Louis  and  the  ISIS  Center  of 
Georgetown  University  are  collaborating  to  create  an  open  source 
implementation  of  a  Research  Master  Subject  Index  (RMSI)  for  use  in 
Washington  University’s  Center  for  Clinical  Imaging  Research  (CCIR).  The 
CCIR  merges  state-of-the-art  imaging  technologies  and  a  comprehensive  IT 
infrastructure  designed  to  manage  clinical  and  translational  research  programs 
and  trials  in  isolation  from  the  normal  clinical  routine.  The  RMSI  correlates 
multiple  research  ID  domains  (one  per  clinical  trial)  and  one  clinical  ID  domain  to 
permit  secure  management  of  Protected  Health  Information  (PHI)  for  research 
subjects  participating  in  clinical  trials  and  investigator-initiated  research  projects. 

It  is  necessary  to  correlate  identifiers  between  the  two  domains  in  order  to  permit 
a  researcher  to  access  segments  of  a  subject’s  clinical  electronic  medical  record. 
The  project  uses  a  patient  identification  service  (WS/PIDS)  developed  at 
Georgetown  University  to  support  the  unique  research  imaging  environment 
provided  by  CCIR. 

3.  integration  of  SAML  2.0  into  the  iHE  Cross-enterprise  User  Authentication 
(XUA)  profiie  -  authentication/authorization  issues  across  the  enterprise  are 
significant  to  the  MCIM  concept.  Northwestern  University  and  the  ISIS  Center  of 
Georgetown  University  are  collaborating  to  evaluate  the  use  of  SAML  2.0  for  the 
IHE  XUA  profile. 

3.0  Network  Security  for  Medical  Devices  and  Systems  (NSM)  Conference 

The  Network  Security  for  Medical  Devices  and  Systems  (NSM)  Conference  was  held 
June  12-14,  2006  at  the  Hilton  Arlington  Hotel  in  Arlington  Virginia.  The  purpose  of  this 
conference  was  to  review  and  assess  emergent  issues  and  operational  impacts  related 
to  the  imposition  of  non-medical  Information  Assurance  (lA)  and  network  security 
processes  to  the  healthcare  delivery  domain.  Approximately  50  participants  from  the 
Department  of  Defense  (DoD),  Veterans  Administration  (VA),  industry  and  academia 
met  for  two  days.  On  Day  One  invited  subject  matter  experts  representing  a  variety  of 
clinical  functional  area  and  operational  environments  related  to  network  management 
and  device  security,  presented  significant  issues  from  their  perspectives  in  order  to 
establish  a  baseline  of  common  understanding.  On  Day  Two,  the  workshop  participants 
were  broken  out  into  five  multi-disciplinary  groups  and  tasked  with  defining  problems  and 
recommending  solutions  to  senior  executive  decision  makers  in  the  DoD,  industry, 
academia,  and  the  civilian  health  system  for  protecting  these  essential  clinical  tools  and 
related  healthcare  delivery  workflows.  Recommendations  from  the  five  breakout  groups 
were  presented  back  to  the  plenary  group,  followed  by  further  discussion  intended  to 
challenge  recommended  solutions  and  seek  common  ground  among  the  conference 
body. 

3.1  Workshop  Rationale 

Historically,  medical  devices  were  designed  as  stand-alone  devices  with  little  concern  for 
information  security  (e.g.,  PACS).  [18]  However,  as  network  infrastructures  have 
become  an  integrated  component  of  information  technology  (IT),  many  networked 
medical  devices  and  systems  have  become  essential  to  efficient  clinical  workflows  in 
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and  between  hospital  environments.  IT  and  engineering  staff  now  interconnect  many  IT- 
based  hospital  devices  -  putting  large-scale  enterprise  systems  on  the  same  network 
with  laboratory,  monitoring,  diagnostic  and  treatment  systems.  Although  there  are  many 
benefits  to  networking  medical  devices,  it  also  exposes  critical  hospital  equipment  to  risk 
from  attack  by  a  software  worm,  virus,  or  other  software  security  breach.  Because 
medical  devices  are  designed  for  a  specific  purpose  with  particular  design 
considerations  and  constraints,  it  is  difficult  to  protect  them  from  software  vulnerabilities 
that  are  typically  used  with  other,  more  general  purpose  IT  devices.  Examples  include 
routine  patching  of  commercial  operating  systems  in  medical  devices  or  application  of 
anti-virus  software  to  medical  devices.  Such  actions  can  potentially  change  the  operating 
function  of  the  medical  device  with  the  possibility  for  negative  impact  on  patient  safety 
and,  therefore,  cannot  be  undertaken  by  the  end  user  without  the  expressed  support  and 
consent  of  the  original  equipment  manufacturer.  Within  a  large  enterprise,  the  complexity 
of  the  issue  is  compounded  since  it  involves  multiple  healthcare  devices  and  systems, 
domains  and  vendors.  The  rapid  proliferation  of  these  devices  combined  with  increasing 
network  security  and  lA  requirements  has  resulted  in  an  emergent  need  to  develop  a 
common  approach  to  the  design,  deployment  and  maintenance  of  secure  healthcare 
devices  and  systems  in  a  networked  environment. 

3.2  Common  themes  -  problem  definition  and  strategic  approaches 

The  purpose  of  the  NSM  conference  was  to  explore  the  lA  issues  for  net-centric  medical 
devices  and  systems  and  develop  a  set  of  possible  solutions  with  the  intent  of 
developing  a  recommended  set  of  guidelines.  Several  common  themes  emerged  as  the 
subject  matter  experts  presented  particular  issues  and  the  working  groups  further 
clarified  and  contextualized  the  issues. 

3.2.1  Problem  definition 

Although  the  workshop  participants  agreed  that  the  common  goal  of  network  security  for 
medical  devices  and  systems  is  to  protect  the  healthcare  delivery  process  and  that 
currently  this  goal  has  not  been  adequately  achieved,  the  group  identified  five  underlying 
issues  that  must  be  addressed  in  determining  a  suitable  NSM  solution. 

1.  Ambiguity  in  lA  interpretation 

Currently,  ambiguities  exist  in  a  number  of  critical  areas  including: 

■  The  definition  of  “medical  device”  -  thus,  security  requirements  remain 
unclear 

■  Application  of  the  DITSCAP  to  medical  devices  across  DoD  (from  base- 
to-base  and  service-to-service) 

■  Lack  of  consistency  of  lA  across  DoD  entities  and  the  Veterans 
Administration 

2.  A  standard  IT  approach  for  NSM  does  not  exist 

Multiple  ad  hoc  approaches  have  been  implemented  as  needed  but  there  has  not 
been  a  standardized  approach  to  product  development,  implementation  or 
maintenance. 

3.  Network  control  is  distributed 

The  architecture  for  medical  system  network  operations  is  not  centralized, 
making  effective  security  management  impractical.  The  underlying  architecture 
must  provide  unified  management,  mitigation  and  control. 
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4.  Device  patching/upgrading 

A  large  number  of  medical  devices  are  manufactured  by  various  vendors  and 
supported  by  a  variety  of  operating  systems,  making  it  difficult  to  apply  upgrades 
and  patches.  Vendors  are  having  difficulty  providing  rapid,  consistent  remote 
service  support  due  to  local  variability,  and  available  bandwidth  and  local 
approval  process.  Additionally,  there  does  not  exist  consistent  guidance  to  allow 
vendors  to  determine  and  effectively  communicate  what  software  patches  are 
necessary  and  unnecessary  in  their  device  portfolios.  The  result  of  these 
challenges  is  that  upgrades  and  patches  are  not  installed. 

5.  lA  is  not  integrated  into  the  product  life  cycle 

Acquisition  side  of  the  life  cycle  needs  to  specify  the  lA  requirements  so  that  the 
product  development  side  can  include  the  requirements  in  the  deliverable. 

3.2.2  Strategic  approaches  for  developing  solutions 

Developing  a  set  of  solutions  to  the  NSM  issue  requires  an  organizational  framework 
that  can  manage  the  various  stakeholders  and  their  different  perspectives,  guiding 
context  for  the  issues  and  potential  technical  solutions.  Several  significant  strategic 
approaches  were  emphasized  throughout  the  conference. 

1 .  Community  of  interest 

Healthcare  enterprises  began  connecting  medical  devices  to  networks  in  “mid-cycle”. 
HIPAA  made  its  debut  and  forced  the  need  to  protect  electronic  individual  health 
information  systems  from  breaches  of  confidentiality,  integrity  without  laying  out  a  clear 
path  of  responsibility.  The  result  has  been  much  “finger  pointing”  about  who  should  bear 
responsibility  for  repairing  the  vulnerabilities.  It  would  be  more  effective  to  attack  the 
problem  as  a  community.  By  forming  a  Community  of  Interest  (COI)  for  lA  of  net- 
connected  healthcare  device  and  systems,  the  stakeholders  can  come  together  to 
specify  the  requirements  of  the  community,  outline  a  strategy  for  implementation  and 
identify  concrete  tasks.  The  COI  provides  the  organizational  framework  in  which  to 
efficiently  execute  solutions  specific  to  the  needs  of  the  community. 

2.  Medical  Enclave 

According  to  DOD  directive  8500.1  E2.1.16.2  [19],  “an  enclave  is  the  collection  of 
computing  environments  connected  by  one  or  more  internal  networks  under  the  control 
of  a  single  authority  and  security  policy,  including  personnel  and  physical  security. 
Enclaves  always  assume  the  highest  mission  assurance  category  and  security 
classification  of  the  automated  information  system  (AIS)  applications  or  outsourced  IT- 
based  processes  they  support,  and  derive  their  security  needs  from  those  systems.  They 
provide  standard  lA  capabilities,  such  as  boundary  defense,  incident  detection  and 
response,  and  key  management,  and  also  deliver  common  applications,  such  as  office 
automation  and  electronic  mail.  Enclaves  may  be  specific  to  an  organization  or  a 
mission,  and  the  computing  environments  may  be  organized  by  physical  proximity  or  by 
function  independent  of  location.  Examples  of  enclaves  include  local  area  networks  and 
the  application  they  host,  backbone  networks,  and  data  processing  centers.” 

The  Army  has  developed  their  own  security  policies  and  procedures  known  as  the  Army 
Security  Architecture  for  Medical  (ARSAM),  and  the  other  services  have  similar 
incarnations  known  as  the  NAVSAM,  AFSAM,  and  the  VA  has  Medical  Device  Isolation 
Architecture  Guide,  all  with  varying  success.  Today  an  attempt  is  being  made  to 
consolidate  these  efforts  into  a  generic  medical  device  protected  enclave  security 
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architecture  model  -  the  goal  being  to  present  a  comprehensive  solution  to  the  new 
MHS  CIO.  The  North  Mississippi  Health  System  (NMHS)  is  piloting  a  test  of  the  ARSAM 
for  feedback  in  the  commercial/private  sector.  In  order  to  do  a  creditable  job  of  creating  a 
generic  model,  the  solution  will  need  to  consider  the  Defense  Information  Systems 
Agency  (DISA)  Security  Technical  Implementation  Guide  (STIG). 

3.  Product  life  cycle  approach 

Using  product  life  cycle  as  a  guide  would  allow  security  requirements  to  match  product 
deliverables.  The  FDA’s  vision  of  medical  device  security  is  grounded  in  the  product  life 
cycle  (see  Figure  1).  It  offers  a  vision  that  requires  shared  responsibility  among  a  COI 
comprised  of  all  the  stakeholders.  Framing  network  security  for  healthcare  devices  and 
systems  in  the  context  of  the  evolving  product  life  cycle,  allows  the  specific  conditions  for 
the  acquisition,  deployment  and  maintenance  of  these  devices  and  systems  in  net- 
centric  environments  to  ensure: 

■  Safety  (personnel  life-critical) 

■  Effectiveness  (system  and  data  availability) 

■  Security  (systems  and  applications) 

■  Interoperability  (systems  and  applications) 


En^uriyi^the/He.cdd^'Ofthe' 
PuhlUyThrough/yutthe' 
TotcUPt'oduct  Life^ Cycle'  -  - 

Figure  1  -  FDA  Product  Life  Cycle 


There  exist  two  intersecting  but  distinct  product  life  cycles.  The  Product  Development 
Life  Cycle  is  responsible  for  development  from  concept  to  obsolescence  and  involves 
researchers,  manufacturers,  regulators  and  vendors.  The  Product  Acquisition  Life  Cycle 
dictates  the  requirements  specification  and  decides  when  an  acquired  product  will  be 
retired.  Product  acquisition  involves  regulators,  vendors,  administrators,  clinicians  and 
engineers.  These  life  cycles  have  tended  to  operate  independently,  resulting  in  some  of 
the  described  security  challenges.  Moving  toward  a  model  in  which  these  life  cycles 
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interact  developmentally  to  assure  safety,  enables  a  parallel  effort  to  match  security 
requirements  and  deliverables,  particular  to  medical  devices  and  systems  (see  Figure  2). 
Using  the  life  cycle  context  provides  a  framework  in  which  to  begin  specifying 
requirements  and  a  pathway  for  graduated  implementation. 


Figure  2  -  The  two  life  cycles  must  developmentally  interact 


The  life  cycle  concept  can  also  be  used  as  a  guide  for  determining  how  to  secure 
immediate  generation  and  legacy  devices  as  well  future  medical  devices  and  systems. 
Tables  1-3  illustrate  the  parallel  efforts  between  Product  Acquisition  and  Product 
development. 


Future  devices 

What  can  be  done  to  fully  Integrate  network  security 

Into  medical  device  design? 

Product  Acquisition 

Product  Development 

Understand  and  value  security 
as  well  as  clinical  utility  and 
imagine  all  devices  as  networked 
on  the  enterprise 

Refine  regulatory  expectations 
for  the  networked  world 

Acknowledge  shared 
responsibility  for  all  devices  ^ 

on  the  enterprise  network 

Identify  and  resolve  network 
— ►  security  issues  during  research 
and  development 

Adopt  a  context-sensitive  ^ 

multifaceted  approach  to 
device  security 

^  Build  and  test  prototypes  with 
secure  components 

Table  1  -  Application  of  product  life  cycle  to  future  devices 
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Current  and  immediate  generation  devices 

What  can  be  done  to  secure  the  current  and  immediate  next 
generation  of  networked  medicai  devices? 

Product  Acquisition 

Product  Development 

HIPAA  ^  ^ 

HIPAA 

Require  technical  security  ^ 

Make  security  a  technical 

controls 

design  criterion 

Compare  products  on  security  ^ 

attributes 

Advertise  security  controls 

Contract  for  security  < — ► 

Include  security  maintenance 

maintenance  support 

in  service  packages 

Table  2  -  Application  of  product  life  cycle  to  current  and  immediate  generation  devices 


Legacy  devices 

How  can  the  exposure  to  iegacy  devices  be  minimized? 

Product  Acquisition 

Product  Development 

Modify  service  contracts 
to  include  security  upgrades 

P  Develop  affordable,  time- 
sensitive  maintenance  for 
reparable  devices 

Disconnect  and  retire 
irreparable  devices  from  the 
network 

— ►  Identify  unsupportable  devices 

Table  3  -  Application  of  product  life  cycle  to  legacy  devices 

3.3  Working  Groups 

The  conference  participants  were  broken  out  into  five  multi-disciplinary  groups,  chaired 
by  the  subject  matter  experts  who  presented  on  Day  One.  Each  group  focused  on  NSM 
issues  of  its  choosing  and  tasked  with  providing  a  fuller  understanding  of  the  selected 
issue  as  well  as  offering  potential  solutions. 

3.3.1  Working  Group  1 

The  participants  of  Working  Group  (WG)  1  are  listed  in  Table  4. 
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Co-Chair 

Jess  Edwards 

Chief  Privacy  &  Security  Officer 

Eastman  Kodak  Health  Group 

Co-Chair 

Sean  Lydon 

Network  Security  Engineer 

US  Army  Medical  Command 

Co-Chair 

Steven  Wexler 

Biomedical 

Engineering/Network  Security 

Veterans  Administration 

Erich  Murrell 

Dep,  Med  Technology 

Integration  and  Support 

Air  Force  Medical  Logistics 

Richard  Wetherell 

Senior  Director 

Siemens  Medical  Solutions 

Frankie  Rios 

Information  Security  Architect 

HCA  Healthcare 

Daniel  Noble 

Global  Support  Specialist 

Agfa  Healthcare 

Rob  Richardson 

Program  Manager 

Army  PACS  Program 
Management  Office 

Mike  Fortier 

NAVMEDLOGCOM 

Mark  Beckner 

Naval  Medical  Information 
Management  Center 

Table  4  -  Working  Group  1  Participants 

WG  1  examined  the  ambiguities  that  currently  exist  in  dealing  with.  WG  1  identified 
several  ambiguities  in  the  area  of  network  security  for  medical  devices  and  systems  that 
need  clarification  or  context.  These  are: 

■  What  is  the  definition  of  a  “medical  device”?  Currently,  there  are  different 
interpretations.  It  is  not  clear  whether  medical  devices  are  a  special  purpose 
system  at  the  DoD  or  service  level 

■  Application  of  DITSCAP  varies  across  DoD  (service  to  service  and  base  to 
base) 

■  There  is  no  common  definition  of  “interconnect” 

WG  1  outlined  the  following  steps  contingent  on  DoD  making  medical  devices  a  Special 
Purpose  computing  platform: 

■  Team  develops  documents  for  all  services  (white  paper)  on  a  solution  for  having 
Medical  Devices  be  a  Special  purpose  computing  platform. 

■  Use  the  “medical  device”  definition  as  defined  by  FDA  with 
examples  of  what  is  and  what  not  a  medical  device  is. 

■  Define  a  standard  interconnect  as  the  entrance  to  the  enclave  or 
Vlan. 

■  The  Medical  Enclave  could  be  viewed  as  a  Medical  Device  system 
by  FDA 

■  Develop  a  tailored  accreditation  process  for  medical  devices 

■  The  interconnect  is  the  point  where  DITSCAP 

■  Implement  into  DoD  8500  series  so  it  can  be  implemented  at  all  bases 
consistently. 

3.3.2  Working  Group  2 

The  participants  of  Working  Group  (WG)  2  are  listed  in  Table  5. 
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Co-Chair 

Nick  Mankovich 

Phillips  Medical  System 

Co-Chair 

Jeff  Collmann 

ISIS/GUMC 

Co-Chair 

John  Reed 

North  Mississippi  Medical  Ctr 

Steven  Lodin 

Director,  Product  IT  Security 

Roche  Diagnostics  Corp 

Scott  Bolte 

Product  Security  Program 
Manager 

GE  Healthcare 

Steve  Valentine 

Project  Manager 

Air  Force  Medical  Logistics 

Darrin  Good 

PM  for  IM/IT 

MRMC 

Camillo  Tasone 

ISIS/GUMC 

Shane  Coughlin 

Customer  Service  Manager 

ScriptPro 

Frank  Becker 

Naval  Medical  Information 
Management  Center 

Table  5- Working  Group  1  Participants 

WG  2  chose  to  examine  in  more  detail  the  formation  of  a  COI  whose  goal  is  to  integrate 
lA  into  the  full  defense  acquisition  life  cycle_of  net-connected  healthcare  devices  and 
systems.  Using  this  organizational  model  would  allow  the  stakeholders  to  come  together 
to  clarify  and  define  the  special  lA  requirements  of  the  healthcare  device  and  system 
community  and  oversee  its  implementation.  Group  2  brainstormed  the  structure  of  the 
proposed  COI,  the  tasks  involved  with  forming  the  COI  and  reaching  its  goal  as  well  as 
the  required  resources. 

•  Goal:  Integrate  lA  into  the  full  defense  acquisition  life  cycle 

of  net-connected  healthcare  devices  and  systems 

•  Objective:  Define  the  specific  conditions  for  the  acquisition,  deployment  and 

maintenance  of  healthcare  devices  and  systems  in  net-centric 
environments  that  ensures: 

■  Safety  (personnel  life-critical) 

■  Effectiveness  (system  and  data  availability) 

■  Security  (systems  and  applications) 

■  Interoperability  (systems  and  applications) 

•  Area  of 
Responsibility: 

■  Health  Information  Systems  -  AHLTA,  PACS 

■  Diagnostics  Devices  and  System 

■  Monitoring  Devices  and  Systems 

■  Therapeutic  Devices  and  Systems 

■  Tele-*  Systems 

■  Research  Devices  and  Systems 

•  Membership  /  Stakeholders: 

■  Departments 
o  MHS 

o  Medical  Logistics 
o  lA  (OSD  &  Medical) 
o  DoD  CIO  Office 
o  VA,  VHA,  Indian  Health 
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o  HHSNHINRep 


■  Industry  /  Manufacturers 

o  NEMA,  Advamed,  etc... 

■  Functions 

o  Caregivers 

o  Medical  Systems  Owners 
o  Clinical  Researchers 
o  Ancillary  medical  services 
o  Patient  administrators 
o  TMA  Privacy  Officer 
o  Contracting 

•  Tasks  Ahead: 

1 .  Sponsor  acceptance  of  COI  and  COI  leader  appointed 

2.  Identify  members,  convene  and  charter  the  community  (Month  3) 

3.  Definition  of  in-scope  healthcare  devices  and  systems  (Month  4) 

4.  Develop  and  deliver  8580. xx  lA  for  Net-connected  Healthcare  Devices 
containing:  (1st  Draft  Month  9) 

■  lA  requirements 

■  Technical  design  requirements  for  secure  connection  to  network 
infrastructure 

■  Guideline  for  application  of  C&A 

■  Protocols  for  connection  and  acceptance  testing 

5.  Publish  8580. XX  lA  for  Net-connected  Healthcare  Devices  (Month  12) 

•  Required  Resources: 

■  Personnel 

o  Community  Leader  -  100% 
o  Core  Team  Assigned  personnel  -  25% 
o  Ad  hoc  Expert  Support  -  5-10% 
o  Administrative  Support  -  25% 
o  Monthly  meetings  for  12  months 

■  Budget 

o  Telecomm  and  travel 
o  Administration  and  coordination 
o  Documentation  Support 
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3.3.3  Working  Group  3 

The  participants  of  Working  Group  (WG)  3  are  listed  in  Table  6. 


Co-Chair 

Glenda 

Turner 

Networks  and  Information 
Integration  (Nil) 

Office  of  the  Assist  Sec  Def 

Co-Chair 

Sean 

Murphy 

US  Air  Force  Medical  Logistics 

Co-Chair 

Steven 

Foote 

Senior  Engineer 

Program  Executive  Office 

Clarissa 

Reberkenny 

Supervisor  Technology 
Specialist 

TRICARE  Management  Activity 

Art 

King 

IBM  (Nil) 

Doug 

Hunter 

Quality  Engineer 

Siemens  Medical  Solutions 

Scott 

Killen 

Security  Leader 

GE  Healthcare 

Carlo 

Luciano 

Director,  Medical 
Technology/Networking 

UPMC  BioTronics 

Mike 

Schomer 

NAVMEDLOGCOM 

Chris 

Arricale 

Office  of  AF  Surgeon  General 

Table  6  -  Working  Group  3  Participants 

WG  3  looked  specifically  at  the  issue  of  device  patching.  A  large  number  of  healthcare 
devices  and  systems  are  manufactured  by  various  vendors  and  supported  by  a  variety  of 
operating  systems,  making  it  difficult  to  apply  upgrades  and  patches.  Additionally, 
consistent  guidance  does  not  exist  to  allow  vendors  to  determine  and  effectively 
communicate  what  software  patches  are  necessary  and  unnecessary  in  their  device 
portfolios  such  that  critical  upgrades  and  patches  are  not  always  installed 

The  group  recommended  the  following  steps: 

•  Patching  should  be  categorized  as  follows: 

■  Issues  related  to  Patient  Safety,  High  Visibility  exploit, 
Probability/Frequency  should  be  treated  as  ‘Critical  Patch’  and 
should  be  patched  immediately 

■  Issues  such  as  Disabled  Service,  Disrupt  clinical  operation. 
Workflow  mitigation.  External  mitigation  should  be  treated  as  ‘Not 
applicable’  and  requires  No  Patches. 

■  Develop  criteria  for  categorizing  as  “Not  applicable”  that  is 
acceptable  in  the  DoD  and  commercial  operating  environments 

■  Vendors  must  communicate  rationale  for  the  “Not  applicable” 
category 

■  Issues  such  as  Low  technical  risk.  No  significant  exploit. 

Expensive  test/deploy.  Minimal  proliferation  should  be  treated  as 
‘Next  Release’  and  can  be  patched  later 

•  Develop  mitigation  strategy  if  patch  is  not  loaded 

•  Industry  group  such  as  HIMMS  to  NEMA  should  sponsor  and  maintain  a  vendor 
vulnerability  status  repository 

•  Vendors  must  publish  patch  management  point  of  contact,  patch  validation  status 
and  specific  vendor  guidance  regarding  patching  policy  and  procedures. 

The  potential  execution  strategy  for  device  patching  is  illustrated  in  Figure  3. 
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Figure  3  -  Potential  Execution  Strategy 


Another  issue  identified  by  WG  3  is  lack  of  consistency  in  interpretation  of  lA  across  the 
DoD  and  VA.  WG  3  proposed  using  the  COI  concept  for  developing  consensus  among 
the  stakeholders  as  to  which  lA  controls  are  critical.  The  recommendations  are  as 
follows: 


•  Allow  “credit”  for  other  tests 

■  Proposed  FDA  Safety  Certification 

■  Defense  Medical/Health  lA  Working  Group  (COI) 
o  Include  “Line”  Communicators 

o  Develop  consensus  among  participants  as  to  what  lA  controls 
are  critical  and  communicate  this  information  in  procurement 
actions 

o  Provide  uniform  guidance  on  the  DITSCAP/DIACAP 
processes 

o  Craft  85XX-IA  document  of  language  for  medial  devices 
o  Identify/establish  COI  Accreditation  Authority 

3.3.4  Working  Group  4 

The  participants  of  Working  Group  (WG)  4  are  listed  in  Table  7. 


Co-Chair 

Brian  Fitzgerald 

Deputy  Director 

Food  and  Drug  Administration 

Co-Chair 

Matt  Ketko 

Agha  Healthcare  Security  Engineer 

Co-Chair 

Jennifer  Ellet 

TRICARE  Management  Activity 

Ed  Doom 

NAVMEDLOGCOM 

John  Michel 

1 A  Task  Lead 

RGII  Technologies  Inc. 

Jason  Cooper 

VP  &  Director,  Health  and 
Life  Sciences 

MATRIC 

Brett  Walsh 

Systems  Security  Analyst 

ScriptPro 

Keith  McCall 

President 

KRM  Associates,  Inc. 

Tom  Koenig 

Naval  Medical  Information 
Management  Center 

Table  7  -  Working  Group  4  Participants 
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WG  4  discussed  the  lack  of  a  standardized  maintenance  platform.  There  is  no 
consistency  in  ports  and  protocols;  the  policy  and  procedures  are  not  in  place  to  enable 
vendor  access  to  the  devices  in  order  to  perform  maintenance.  Within  DoD,  some 
maintenance  tool  are  allowed  while  others  are  not.  On  the  vendor  side,  there  is  not  a 
standardized  set  of  maintenance  tools. 

WG  4  proposed  a  centralized  management  approach  with  a  standardized  maintenance 
platform.  The  following 

■  Define  a  medical  device 

■  Identify  as  a  Special  Purpose  Computing  Platform 

■  Segregate  the  medical  network 

■  Provide  remote  access  for  vendors 

■  Standardize  lA-centric  contract  language 

■  Centralize  Designated  Accreditation  Authority  (DAA)  waivers 

3.3.5  Working  Group  5 

The  participants  of  Working  Group  (WG)  5  are  listed  in  Table  8. 


Co-Chair 

Phillip  La  Joie 

Tri-Service  Infrastructure  Mgmt 
Program  Office 

TRICARE  Management  Activity 

Co-Chair 

Gary  Crouch 

Director  of  Telehealth 

Great  Plains  Regional  Medical 
Command 

Co-Chair 

Leroy  Luginbill 

STRATCOM 

Joint  Task  Force/Global  Network 
Operations 

Co-Chair 

Stephen  Grimes 

Vanderbilt  University 

Michael  Stridsberg 

Product  Security  Architect 

GE  Healthcare 

Travis  Gillitzer 

Network  &  Systems  Security 
Manager 

ScriptPro 

Michael  Miller 

RESS/Network  &  Application 
Engineer 

UPMC  BioTronics 

Tom  Vaccaro 

Wireless  Systems  Engineer 

Hospira,  Inc. 

Doug  Hunter 

Quality  Engineer 

Siemens  Medical  Solutions 

Dave  Lindisch 

ISIS/GUMC 

Table  8  -  Working  Group  4  Participants 

WG  5  considered  the  need  for  security  certification.  Currently  customers  have  no 
assurance  that  a  healthcare  device  meets  any  defined  level  of  security.  A  certification 
process  would  force  the  issue  of  establishing  levels  of  security  against  which  a  product 
could  be  certified.  The  recommendation  is  to  task  a  Standards  Development 
Crganization  (SDC)  (e.g.,  ISC,  IEEE,  NEMA)  with  the  development  of  certification 
standards  and  levels. 

WG  5  also  examined  the  architecture  for  medical  system  network  operations.  Currently, 
control  of  medical  system  network  operations  is  divested  in  hundreds  of  DAA’s,  making 
effective  security  management  impractical.  The  underlying  architecture  must  provide 
unified  management,  mitigation  and  control  that  includes  but  is  not  limited  to  the 
following: 


■  Single  access  point  for  remote  service 

■  Common  interface  management  (ports  and  protocols) 
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■  Common  security  risk  assessment  and  mitigation  strategies 

Group  5  recommended  the  formation  of  an  MHS/ASD,  Health  Affairs  task  force  that  is 
charged  with  developing  a  strategy  to  transition  to  a  single  medical  COI  network. 

3.4  Recommendations 

The  overarching  goal  is  to  integrate  lA  into  the  full  defense  acquisition  life  cycle  of  net- 
connected  healthcare  devices  and  systems  in  order  to  protect  the  healthcare  delivery 
process.  The  NSM  workshop  produced  the  following  recommendations: 

Establish  a  Medical  Community  of  Interest 

Develop  a  Medical  COI  network  between  Army,  Air  Force,  Navy,  and  Veterans 
Administration  medical  treatment  entities  to  promote  smooth  and  efficient  transfer  of 
medical  information  on  a  shared  patient  population  most  efficiently.  Action  items  include: 

■  Separate  medical  healthcare  delivery  environments  from  non-medical  military 
networks  except  through  a  limited  number  of  interconnect  gateways  that  must 
be  owned  by  the  military-DoD  network/security  management  entity  and 
constantly  monitored,  lA-compliant,  and  otherwise  acceptable  to  the  military  and 
DoD  for  transferring  unclassified  but  sensitive  healthcare  information  as  needed 
to  support  the  medical  mission  across  the  wide  area. 

■  Form  a  multi-Service  and  VA  Task  Force  to  define  COI  requirements  and 
develop  a  strategy  for  transitioning  all  to  a  single  Medical  COI;  -  meet  monthly 
with  a  target  of  completion  within  9-12  months. 

■  Boundaries  of  the  COI  must  also  be  clearly  defined. 

Medical  COI  can  potentially  also  be  used  later  as  a  model  for  Public  Health/State  health 
systems,  civilian  health  systems  and  essential  national  biosurveillance  activities. 

Protect  the  Medical  Community  of  Interest 

Protect  the  COI  and  vulnerable  medical  devices/related  systems  by  architecting  and 
implementing  a  multi-Service  (DoD)  &  VA  defense-in-depth  Medical  enclave  and  ensure 
proper  installation,  operation,  management  and  sustainment.  The  multi-Service  and  VA 
Task  Force  would  participate  in  creating  the  enclave;  however,  some  more  technical 
individuals  may  be  needed  to  augment  the  TF  for  this  aspect.  MHS  is  recommended  as 
lead  agent  for  implementation  and  management,  with  distributed  operations  and  support 
by  service  medical  IM/IT  networking  organizations  (relationships  must  be  defined).  The 
action  items  include: 

■  Create  85XX-Med-IA  guiding  document  at  DoD  CIO  level  to  define  medical 
community  of  interest  and  enclave,  as  well  as  consistent  lA/certification 
processes  and  controls. 

■  Establish  an  explicit  definition  of  medical  devices/healthcare  information  systems 
that  acquire,  contain  or  transport  patient  medical  information  that  is  consistent 
with  the  law  and  functional  medical  environments,  and  lA  requirements. 

■  Establish  a  standard  Industry  medical  device  patching  process  and  include  in 
definition  of  85xxx-Med-IA  controls  section.  An  industry  group  such  as  HIMSS, 
NEMA,  FDA,  or  other  sponsor  can  maintain  a  vendor  vulnerability  status 
repository.  Patch  guidelines  could  mimic  MDS2  strategy  process  involving 
HIMSS/NEMA  governance,  communication  with  vendors,  development  of  lA 
documentation  and  vendor  communication  of  status  to  customers.  Could  also 
model  DoD  process  for  communication  of  vulnerability,  timely  responses  by 
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vendors  to  customers  pertaining  to  applicability  and  authority  to  load  patches,  or 
deferral  for  a  specified  period  of  time  for  vendor  testing  and  validation  as 
necessary. 

■  Establish  a  Multi-ServiceA/A  accreditation  authority  (DAA)  for  decisions  relative 
to  the  enclave  and  COI  network. 

■  Provide  a  common  interface  management  framework  (i.e.,  ports  and  protocols) 
and  ensure  medical  products  are  registered  for  these  in  DoDA/A  environments. 

■  Establish  common  security  risk  assessment  and  mitigation  strategies. 

Establish  Guidance  for  Industry 

■  Establish  and  communicate  to  Industry  a  minimum  baseline  security  requirement 
and  have  them  assist  in  developing  a  standard  Industry  lA  Conformance 
Statement  that  addresses  these  minimum  requirements. 

■  Establish  a  single  Protected  Remote  Vendor  Access  solution  for  troubleshooting 
and  maintenance  of  specific  medical  devices/systems,  to  include  updating  lA 
when  appropriate.  Create  a  Security  Technical  Implementation  Guide  (STIG)  for 
this  solution  and  get  published  through  DoD. 

■  Have  a  higher  level  of  base  requirements  for  those  systems  that  must  "touch"  or 
interconnect  directly  with  DoD  Non-secure  Internet  Protocol  (NIPR)  networks  (e.g. 
teleradiology/Telemedicine  &/or  PACS  devices  in  deployed  environments). 

■  Standardize  contract  language  for  medical  equipment  to  ensure  requirements  for 
medical  device  lA/security  baselines  are  included  as  appropriate  to  their  use. 

■  Establish  an  independent  Industry  Medical  Device  Security  certification  process 
so  that  vendors  may  have  a  low-cost  or  no-cost  way  to  develop/validate  a 
product's  conformance  and  documentation.  This  effort  could  be  supported  by  an 
existing  standards  organization  such  as  ISO,  IEEE,  NEMA. 


4.0  Key  Research  Accomplishments 

The  key  accomplishments  are  as  follows: 

■  organization  and  execution  of  the  Multi-Center  Image  Management  Workshop 

■  organization  and  execution  of  the  Network  Security  of  Medical  Devices  and 
Systems  Workshop 

5.0  Reportable  Outcomes 
Manuscripts,  abstracts,  presentations 

Mun  SK,  Ingeholm  ML,  Tohme  W,  Cleary  K.  Open  Source  Software  for  Multicenter 
Image  Management.  Proceedings  of  IEEE  EMBS  International  Conference  on 
Information  Technology  Applications  in  Biomedicine  (ITAB-ITIS  2006),  loannina,  Greece, 
October  26-28,  2006. 

Tarbox  LR,  Vasilescu  EN,  Prior  FW,  Moore  SM,  Padh  S,  Mun  SK.  Research  Master 
Subject  Index  -  Bridging  Research  and  Clinical  ID  Domains  using  WS/PIDS.  Submitted 
for  presentation  to  the  Society  for  Imaging  Informatics  in  Medicine,  September  1 1 , 2007 
and  publication  in  the  Journal  of  Digital  Imaging  (accepted). 


Funding  applied  for  based  on  work  supported  by  this  award 

A  follow  up  workshop  to  the  MCIM  workshop  is  planned  for  2007. 
Applications  for  funding  have  been  made  to  the  following: 
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R13  to  the  National  Institute  of  Biomedical  Imaging  and  Bioengineering  for 
conference  support  for  $47,000  (pending) 

Conference  Support  Request  from  USAMRMC  for  $40,000  (approved) 


6.0  Conclusion 

Each  of  the  workshops  defined  and  clarified  the  most  significant  issues  and  offer 
guidance  in  proceeding  with  a  solution.  The  MCIM  workshop  concluded  that  many  of 
the  challenges  encountered  in  managing  medical  images  apply  to  other  types  of 
multimedia  medical  information;  thus,  future  endeavors  should  not  be  restricted  to  image 
management  but  should  be  expanded  to  include  medical  information  management.  The 
MCIM  workshop  participant  also  determined  that  an  open  source  effort  by  the  research 
community  to  develop  robust,  freely  available  tools  that  meet  the  information 
management  needs  of  basic,  clinical  and  translational  research  is  essential  to  mend  the 
gap  between  the  research  and  clinical  communities.  As  a  result  of  the  workshop,  the 
ImTK  Consortium  has  been  established  to  support  this  effort.  The  mission  of  ImTK  is  to 
expedite  translational  biomedical  research  through  the  development  of  software  tools 
that  enable  efficient  exchange,  sharing,  management,  and  analysis  of  multimedia 
medical  information  such  as  clinical  information,  images,  and  bioinformatics  data. 

ImTK™  will  be  based  on  an  open  source  and  open  architecture  approach  to  allow 
scientists,  engineers  and  physicians  throughout  the  world  to  participate  in  this  initiative. 

The  consortium  will  support  the  development  of  robust  software  for  research  applications 
and  commercial  products  through  conferences,  training  sessions,  and  tutorials. 

The  NSM  workshop  The  overall  conference  strategy  of  the  NSM  workshop  was  for  subject 
matter  experts  from  a  variety  of  clinical  functional  area  and  operational  environments  related  to 
network  management  and  device  security  to  present  significant  issues  of  importance  from  their 
perspectives  and  establish  a  baseline  of  common  understanding  from  which  to  then  break  down 
into  multi-disciplined  workshop  groups  to  define  problems  and  recommend  solutions  to  senior 
executive  decision  makers  in  the  DoD,  industry,  academia,  and  the  civilian  health  system  for 
protecting  these  essential  clinical  tools  and  related  healthcare  delivery  workflows. 

The  invited  experts  and  practitioners  provided  an  excellent  set  of  presentations  to  the 
conference  body.  They  also  served  as  co-chairs  of  the  working  groups.  As  co-chairs  they  led 
discussions  of  current  challenges  and  stimulated  definition  of  solutions  for  protecting  vulnerable 
FDA-approved  medical  devices  and  related  systems  on  hospital  enterprise  networks.  It  became 
evident  that  the  rapid  proliferation  of  networked  medical  devices  and  systems  essential  to 
efficient  clinical  workflows  in  and  between  hospital  environments,  combined  with  increasing 
network  security  and  information  assurance  requirements  has  established  an  emergent  need  for 
the  development  of  a  common  Information  Technology  approach  to  protecting  the  healthcare 
delivery  process.  The  conference  explored  these  issues  and  developed  a  set  of  possible 
solutions  with  the  intent  of  developing  a  recommended  set  of  guidelines  for  use  by  any 
healthcare  enterprise. 

Recommendations  from  the  five  breakout  groups  were  presented  back  to  the  plenary  group, 
followed  by  further  discussion  intended  to  challenge  recommended  solutions  and  seek  common 
ground  among  the  conference  body.  The  following  general  recommendations  are  the  resulting 
output  of  the  conference. 

■  Establish  a  Medical  Community  of  Interest 

Develop  a  Medical  Community  of  Interest  (COI)  network  between  Army,  Air  Force,  Navy, 
and  Veterans  Administration  medical  treatment  entities  to  promote  smooth  and  efficient 
transfer  of  medical  information  on  a  shared  patient  population  most  efficiently 
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■  Protect  the  Medical  COI 

Protect  the  COI  and  vulnerable  medical  devices/related  systems  by  architecting  and 
implementing  a  multi-Service  (DoD)  &  VA  defense-in-depth  Medical  enclave,  ensuring 
proper  installation,  operation,  management  and  sustainment. 

■  Establish  Guidance  for  Industry 

Establish  and  communicate  to  Industry  a  minimum  baseline  security  requirement 
and  have  them  assist  in  developing  a  standard  Industry  lA  Conformance 
Statement  that  addresses  these  minimum  requirements 
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Multi-center  Image  Management  Workshop 

Open  Source  Universal  PACS  Archive 
March  6-9,  2006 

Renaissance  Hotel  and  Resorts 
Las  Vegas,  Nevada 

AGENDA 


MONDAY  MARCH  6 

6:00-8:00pm  Ice  Breaker  and  Registration 

TUESDAY  MARCH  7 

7:30am  Continental  Breakfast 


Morning:  The  Gap:  What  is  the  Probiem  we  are  trying  to  soive? 


8:00am 


8:15am 


8:45am 


9:15am 


9:45am 


Welcome  and  Opening  Remarks 

Chair:  Seong  K.  Mun,  PhD,  Georgetown  University 

Rapporteur:  Inyoung  Choi,  PhD,  Georgetown  University 

New  challenges  in  visualization  and  navigation  of  very  large  image  data  set 
Osman  Ratib,  MD,  PhD 
Universite  de  Geneve 

Image  Management  for  Research  and  Clinical  Trials 
Fred  Prior,  PhD 

Washington  University  at  St  Louis 

Ongoing  Challenges  with  Legacy  PACS  Data  Migration  within  the  US  Army 
Robert  deTreviiie 
US  Army 

Coffee  Break 


10:15am  Chair:  Bill  Mortimore,  Merge  Technologies 

Rapporteur:  Adil  Alaoui,  Georgetown  University 

10:15am  NLM  Perspective  on  the  Problem 

Terry  Yoo,  PhD 
NLM/NIH 


10:45am  The  Digital  Medical  Record:  Promise  and  Peril 
Michaei  Pentecost,  MD 
Kaiser  Permanente 

11:15am  User  Centered  Innovation  Beyond  Open-Source  Software 
Donaid  Harrington,  MD 
NIBIB/NIH 

1 1 :45am  Market  Wide  PACS  Implementation 

Inki  Mun,  PhD 

Aventura  Hospitai  and  Medicai  Center 


12:00-1:30  Lunch 
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Afternoon:  Possible  Solutions 

1:30pm  Chair:  Michael  J.  Ackerman,  PhD,  NLM/NIH 

Rapporteur:  Lawrence  Tarbox,  PhD,  Washington  University  at  St  Louis 

1 :30pm  Filling  the  gaps  with  IHE  Open  Source  Tools 

David  Channin,  MD 
Northwestern  University 

2:00pm  The  RSNA  MIRC  Application  -  An  Open  Source  Management  System  for 

Teaching  Files  and  Multi-Center  Clinical  Trials 
John  Perry 

Radioiogicai  Society  of  North  America 

2:30pm  Multimedia  infrastructure  issues  in  Grid  environments 

Eugen  Vasiiescu,  PhD 
Georgetown  University 

3:00pm  Coffee  Break 

3:30pm  Chair:  Michael  Brazaitis,  MD,  WRAMC 

Rapporteur:  Pat  Mongkolwat,  PhD,  Northwestern  University 

3:30pm  Practical  Challenges  in  a  Heteregeneous  Global  PACS  Architecture 

Pete  Kiiicommons,  MD 
MedWeb 

4:00pm  Building  an  Open  Source  Platform:  A  case  study  from  Mac  OS  X  and  Apple 

Ernest  Prabhakar,  PhD 
Appie 

4:30pm  Open  Souce  Approaches  and  Lessons  Learned  from  Other  Industries 

Waiid  G.  Tohme,  PhD 
Georgetown  University 

WEDNESDAY  MARCH  8,  2006 

Morning  Session  1:  The  Bridge:  Open  Source  Strategy 

7:30am  Continental  Breakfast 

8:00am  Chair:  David  Channin,  MD,  Northwestern  University 

Rapporteur:  Pat  Mongkolwat,  PhD,  Northwestern  University 

8:00am  Open  Source  Imaging  Tools 

Rick  Avila 
Kitware  Inc. 

8:30am  A  Case  Study  in  Open  Source  Software:  The  Image-Guided  Surgical  Toolkit 

Kevin  Cleary,  PhD 
Georgetown  University 

9:00am  The  Open  Three  (03)  Consortium  Project 

Paolo  Inchingolo,  PhD 
University  of  Trieste 

10:00am  Coffee  Break 
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Morning  Session  2:  industry  Panei 

10:30am  Chair:  Fred  Prior,  PhD,  Washington  University  at  St  Louis 

Rapporteur:  Robert  deTreviiie,  US  Army 

(Invited  Panel  Participants) 

Agfa 

IBM 

Medical  Standard 
Merge  Technologies 
Siemens 
Teramedica 

12:00pm  Lunch 

Afternoon  Session  1:  Next  Steps  and  Government  Perspectives 

1:30pm  Chair:  Kevin  Cieary,  PhD,  Georgetown  University 

Rapporteur:  inyoung  Choi,  PhD,  Georgetown  University 

1:30pm  Mind  the  Gap! 

Michael  J.  Ackerman,  PhD 
NLM/NIH 

2:00pm  Triple  Helix  Model 

Conrad  Clyburn 
TATRC 

2:30pm  Perspectives  from  FDA 

Alford  Taylor 
CDRH/FDA 

3:00pm  The  United  States  Measurement  System:  Roadmapping  America's  Measurement 

Needs  for  a  Stronger  Innovation  Infrastructure" 

Richard  Spivack,  PhD 
NIST 

3:30pm  Coffee  Break 

Afternoon  Session  2:  innovations 

4:00pm  Chair:  Conrad  Ciyburn,  TATRC 

Rapporteur:  Adii  Aiaoui,  Georgetown  University 

4:00pm  Can  peer-to-peer  technology  apply  to  medical  image  mgt  in  complex  clinical 

workflow? 

Osman  Ratib,  MD,  PhD 
Universite  de  Geneve 

4:30pm  Application  Hosting:  A  Standardized  API  for  Launching  and  Communicating  with 

'Plug-in'  Applications 
Lawrence  Tarbox,  PhD 
Washington  University  at  St  Louis 

5:00pm  HealthGrid:  Grid  Technologies  for  Biomedicine 

Mary  Kratz 

University  of  Michigan 
6:00-8:00pm  Reception 
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THURSDAY  MARCH  9,  2006 


8:00-1 0:00am 

10:00am 

Post  meeting 


Report  Back  Session — All  participants  invited 
Chair:  Walid  Tohme,  PhD,  Georgetown  University 

Rapporteur  Summary  (10  min  for  each  session) 

Adil  Alaoui,  Inyoung  Choi,  Robert  deTreville,  Pat  Mongolkwat,  Lawrence  Tarbox 

Closing  Remarks 

Seong  K.  Mun,  PhD,  Georgetown  University 

Golf  Tournament  (Optional  -  Sign  up  by  COB  Friday  March  3'^‘'  by  email 
mun@isis.qeorqetown.edu.  green  fee) 
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Network  Security  for  Medical  Devices  &  Systems  Conference 

Arlington  Hilton  Hotel 
Arlington,  Virginia 
June  12-14,  2006 

AGENDA 


MONDAY  June  12 

6:00-8:00pm  Ice  Breaker  and  Registration 

7:00-1 0:00pm  Presenter  and  Conference  Staff  Dinner 

TUESDAY  June  13 

7:30am  Continental  Breakfast 

Morning-Afternoon  Sessions:  The  Probiem;  -  What  are  we  trying  to  soive?  -  Potentiai 
Soiutions;  -  What  are  we  doing  to  resoive  probiems  and  mitigate  Risk? 

8:00am  Welcome  and  Introduction  of  Key  Note  Speaker: 

Seong  K.  Mun,  PhD,  Georgetown  University 

8:10am  Key  Note  Speaker:  Mr.  Cari  Hendricks,  (SES),  CiO,  Miiitary  Heaith  System 

(MHS),  Office  of  the  Assistant  Secretary  of  Defense,  Heaith  Affairs 
(OASD/HA) 

8:20am  Morning  Sessions:  Presentations 

Rapporteur:  Adi!  Alaoui,  Georgetown  University 

Chair:  Robert  E  de  Treviiie,  Senior  Advisor,  PACS/EMR,  MRMC/MHS 

8:40am  “Whose  Problem  is  it?”  Overview  of  the  Inherent  Vulnerabilities  of  Networked 

Medical  Devices,  and  What  We  can  do  by  Working  Together  to  Protect  Them;  - 
and  Minimize  Operational  Impacts.  -  It  takes  a  Team  Approach 
Jeff  Coiimann  PhD,  Georgetown  University 

9:00am  Cyber-security  in  Medical  Devices,  Problems  and  Related  Guidance;  -  FDA 

Perspective 

Brian  Fitzgeraid,  Deputy  Director,  Eiectric  Engineering  and  Software,  FDA 

9:20am  Cyber-security  in  Medical  Devices;  -  Industry  Perspective 

Jess  Edwards,  Eastman  Kodak  Health  Group  for 
Mr.  Evan  Gaddis,  President  and  CEO,  NEMA 

9:40am  Coffee  Break 

10:00am  Cyber-security  and  Medical  Devices;  -  Changing  the  Manufacturer  Organization 

Nick  Mankovich,  PhD,  Phiiips  Medicai  Systems 

10:20am  Medical  Device  Security;  -  US  Air  Force  Perspective 

Sean  Murphy,  Major,  US  Air  Force  Medicai  Logistics  Office 
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10:40am 

11:00am 

1 1:20am 

1 1:40pm 

12:00pm 

12:20pm 

12:40pm 

1:00pm 

1:20pm 

1:40pm 

2:00pm 

2:20pm 

2:40pm 

3:00pm 


DoD  Information  Assurance  Policy  in  Support  of  Bio-Medical  Networks  and 
System  Security;  -  The  Network-Centric  vision.  -  From  the  medical  domain, 
looking  for  feedback  for  improvement  as  a  result  of  this  conference 
Glenda  Turner,  Office  of  the  Assistant  Secretary  of  Defense  (Networks  and 
Information  Integration) 

2006  Information  Assurance  (lA)  Workshop  -  Dynamic  lAfor  the  Global 
Information  Grid  (GIG):  Securing  the  Warfighter  Today  and  Tomorrow 
Jennifer  Ellett,  TRICARE  Management  Activity  (TMA),  Office  of  the  Assistant 
Secretary  of  Defense 

Building  Protected  Networks  for  Clinical  Systems;  -  Military  Health  System 
Perspective,  Lessons  Learned  and  Focus  for  the  Future 
Phillip  LaJoie,  Tri-Service  Infrastructure  Management  Program  Office  (TIMPO), 
Military  Health  System  (MHS) 

Security  Assessments  for  Clinical  Systems:  -  to  identify  vulnerabilities,  analyze 
probability  of  risks,  and  implement  safeguards;  -from  a  real  life  example 
Stephen  Grimes,  Vanderbilt  University  Medical  Center 

20  Minute  Break  then  Working  Lunch:  Afternoon  Presentations 
Rapporteur:  Adil  Alaoui,  Georgetown  University 
Chair:  Jeff  Collmann,  PhD,  Georgetown  University 

Army  Security  Architecture  for  Medical  (ARSAM) 

Steven  Foote,  Senior  Engineer,  Program  Executive  Office,  Enterprise  Information 
Systems  Technology  Applications  Office 

Army  Medical  Command’s  Defense  in  Depth  (DID)  Architecture;  -history,  goals 
and  recommendations 

Sean  Lydon,  US  Army  Medical  Command  Defense  in  Depth  Engineer 

Proxy  Servers  and  Secure  Communications  for  Clinical  Workflows 
Matt  Ketko,  Agfa  Healthcare  Security  Engineer 

Lessons  Learned  from  Implementation  of  the  ARSAM  in  a  Private  Healthcare 
Enterprise 

John  Reed,  North  Mississippi  Medical  Center/Health  Services 

Veterans  Administration  (VA)  Medical  Network  Isolation  Architecture 
Steven  Wexler,  Veterans  Administration 

Coffee  Break 

Security  Architecture  for  Radiology  Picture  Archive  and  Communications  System 
(PACS)  in  the  Great  Plains  Regional  Medical  Command  (GPRMC) 

Gary  Crouch,  Director  of  Telehealth,  GPRMC 

Overview  of  Global  Interconnectivity  of  the  Healthcare  Community,  the  Internet, 
and  DoD  Infrastructure 

LeRoy  Luginbill,  Strategic  Command,  Joint  Task  Force  -  Global  Network 
Operations 

Late  Afternoon  Session  -  Initial  Break-out  into  Groups 
Coordinators: 

Jeff  Collmann,  PhD,  Georgetown  University 
Neal  Neuberger,  Health  Tech  Strategies 
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3:30pm  Breakout  Group  Session 

6:00pm  Adjourn  for  Day 

7:00pm  Dinner 

WEDNESDAY  June  14 

7:30am  Continentai  Breakfast 

8:00am  Morning  Session:  “Break-out  Groups” 

12:00pm  20  Minute  Break,  then  working  Lunch:  “Break-out  Group  Presentations” 

12:20pm  Afternoon  Session:  “Break-out  Group  Presentations” 

Rapporteur:  Neat  Neuberger,  Heatth  Tech  Strategies 

Rapporteur:  AditAiaoui,  ISIS,  Georgetown  University 

Chair:  Robert  E.  de  Treville,  Senior  Advisor,  PACS/EMR,  MRMC/MHS 

Chair:  Jeff  Collmann,  PhD,  Georgetown  University 

Chair:  Seong  Ki  Mun,  PhD,  Georgetown  University 

3:00pm  Co-Chair  Panel  Summary  Discussion:  “Consolidate  recommendations  and  define 

next  steps” 

Rapporteur:  Neal  Neuberger,  Health  Tech  Strategies 

Rapporteur:  AdilAlaoui,  ISIS,  Georgetown  University 

Chair:  Robert  E.  de  Treville,  Senior  Advisor,  PACS/EMR,  MRMC/MHS 

Chair:  Jeff  Collmann,  PhD,  Georgetown  University 

Chair:  Seong  Ki  Mun,  PhD,  Georgetown  University 

4:30pm  Conference  Survey 

5:00pm  Conference  Adjourns 
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Multi-center  Image  Management  Workshop 

Open  Source  Universal  PACS  Archive 


Abstracts 


New  Challenges  in  Visualization  and  Navigation  of  Very  Large  Image  Data  Set 

Osman  Ratib,  MD,  PhD,  Universite  de  Geneve 

Display  and  interpretation  of  multi  dimensional  data  obtained  from  the  combination  of  3D 
data  acquired  from  different  modalities  (such  as  PET-CT)  require  complex  software  tools 
allowing  the  user  to  navigate  and  modify  the  different  image  parameters.  With  faster 
scanners  it  is  now  possible  to  acquire  dynamic  images  of  a  beating  heart  or  the  transit  of 
a  contrast  agent  adding  a  fifth  dimension  to  the  data.  Clinicians  and  referring  physicians 
have  often  only  limited  access  to  medical  images  through  a  web-based  system  with  slow 
access  and  relatively  limited  image  manipulation  capabilities.  With  the  recent  evolution 
of  imaging  modalities  toward  high  resolution  multidimensional  imaging  techniques  users 
have  started  to  rely  on  advanced  image  display  and  navigation  features  such  as  image 
fusion,  3D  volume  rendering  and  multiplanar  reformatting.  These  features  are  becoming 
essential  for  physicians  and  surgeons  that  depend  on  adequate  visualization  of  the 
image  data  to  perform  complex  interventions  or  assess  the  effect  of  a  given  therapeutic 
procedure 

Osirix  is  an  Open  Source  advanced  visualization  software  and  provides  real  time 
navigation  in  very  large  sets  of  5  dimensional  data  based  on  an  intuitive  and  user 
friendly  user  interface.  This  project  is  focused  on  the  user  interface  and  means  for 
interactively  navigating  in  these  large  data  sets  while  easily  and  rapidly  changing 
multiple  parameters  such  as  image  position,  contrast,  intensity,  blending  of  colors, 
magnification  etc.  It  was  specifically  designed  for  non-experts  users  and  clinicians  for 
convenient  and  efficient  image  visualization  and  interactive  navigation  through  complex 
sets  of  data. 


Issues 

•  Exponential  increase  in  image  data  of  Multidetector  CT,  Multimodality  imaging  (PET-CT), 
Functional  imaging.  Time-varying  image  data  and  Molecular  imaging. 

•  Imaging  modalities  are  evolving  toward  high  resolution  multidimensional  imaging 
techniques  from  3'^^  dimension  CT,  MRI,  PET  into  dimension  dynamic  fusion  image 

•  Image  display  and  navigation  features  are  becoming  essential  to  perform  complex 
interventions  or  assess  the  effect  of  a  given  therapeutic  procedure 

Challenges 

•  Osirix  is  a  Open  Source  advanced  visualization  software  and  provides  real  time 
navigation  for  5  dimensional  image  data 

•  Distributed  under  the  GNU-General  Public  License.  Anyone  can  have  access  and  modify 
the  source  code. 

•  Clinicians  and  referring  physicians  can  have  better  access  to  medical  images  and  better 
visualization  capabilities 

Next  steps 

•  Currently  based  on  peer-to-peer  data  sharing  technology.  Can  it  be  applied  for  complex 
clinical  workflow? 
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Image  Management  for  Research  and  Clinical  Trials 

Fred  Prior,  PhD,  Washington  University  at  St.  Louis 

Clinical  PACS  were  not  designed  to  readily  support  the  image  management  and 
analysis  needs  of  multi-center  clinical  trials  and  other  research  imaging 
applications.  Similarly,  PACS  image  repositories  have  been  optimized  to  support 
diagnostic  radiology  workflow  and  do  not  support  the  integration  of  multi-scale 
information  or  complex  information  retrieval  requests  needed  to  support  data 
mining  based  research.  This  talk  reviewed  their  laboratory’s  experiences  with 
image  based  multi-center  clinical  trials,  the  creation  of  research  image  libraries 
and  management  systems  for  a  research  imaging  center  to  establish 
requirements  for  future  open  source  distributed  image  and  information 
management  tools. 


Issues 

•  Requirements  for  research  applications  are  quite  different  from  the  standard 
clinical  environment.  Research  images  are  either  drawn  from  clinical  records  or 
are  specifically  collected  -  in  both  cases  they  are  stored  in  the  clinical  PACS. 

•  Dual  use  of  the  clinical  PACS  can  complicate  clinical  workflow  if  the  research 
study  is  outside  the  normal  standard  of  care  or  the  research  protocol  requires  a 
different  workflow  model. 

•  Clinical  PACS  are  designed  to  manage  PHI  and  have  limited  ability  to  support 
de-identification  or  anonymization 

•  PACS  image  repositories  do  not  support  the  integration  of  multi-scale  information 
or  complex  information  retrieval  requests  needed  for  data  mining  or  outcomes 
research. 

•  The  research  community  needs  well  designed,  freely  available  tools  that  meet 
the  information  management  needs  of  the  full  spectrum  of  basic,  clinical  and 
translational  research 

Challenges 

•  The  Silent  Infarct  Transfusion  Trial  (SITT)  is  a  multi-center  clinical  trial  to 
determine  the  efficacy  of  blood  transfusion  therapy  as  a  treatment  for  preventing 
silent  strokes  in  children  with  sickle  cell  disease.  The  imaging  core  of  a  multi¬ 
center  trial  provides  a  number  of  services  such  as  image  accumulation,  de¬ 
identification,  image  transport,  quality  assurance,  image  management,  image 
processing  or  presentation  for  reading,  workflow  management  and  collection  and 
analysis  of  imaging  results 

•  CLINDB/ClinPortal  is  collaborative  project  just  getting  underway.  It  provides 
translational  researchers  access  to  information  gathered  as  a  result  of  routine 
patient  care  and  integrated  access  to  data  acquired  from  research  subjects  (and 
animal  models)  and  stored  in  multiple  information  repositories. 

Next  steps 

•  Information  management  components  must  deal  with  a  broad  spectrum  of  data 
types  and  support  complex  queries  and  data  mining 
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Ongoing  Challenges  with  Legacy  PACS  Data  Migration  within  the  US  Army 

Robert  E.  DeTreville,  US  Army 

The  US  Army  has  been  acquiring  and  archiving  PACS  images  since  1992. 
Migration  of  legacy  PACS  images  has  taken  years  to  figure  out  and  stiii  is  not  yet 
compiete  within  the  US  Army.  Even  data  migration  from  oider  to  newer  systems 
with  the  same  vendor  is  probiematic,  much  iess  between  iegacy  and  incumbent 
vendors.  This  taik  generaiiy  describes  some  of  the  probiems  and  issues 
associated  with  the  current  data  migration  process,  and  addresses  some  areas 
of  focus  for  future  improvement. 


Issues 

•  US  Army  has  been  acquiring  and  archiving  PACS  images  since  1992.  Initiai 
effort  focused  on  migrating  Legacy  Data  to  new  archive  systems  as  PACS 
systems  are  upgraded  or  repiaced. 

•  Integrating  and  managing  aii  enterprise  ciinicai  information  into  the  multi-media 
Electronic  Medical  Record  (EMR)  is  becoming  new  focus 

•  A  standard  vendor-independent  approach  to  image  archive  and  management 
would  simplify  the  challenges  of  data  migration  in  the  future. 

•  Migration  process  is  more  difficult  when  multiple  PACS  vendors  are  involved,  e.g. 
the  legacy  PACS  vendor  that  no  longer  has  the  customer’s  PACS  business  and 
the  new  vendor. 

Challenges 

•  Past  migration  experiences  of  Brooke  Army  Medical  Center  (BAMC),  Madigan 
Army  Medical  Center  (MAMC),  and  Tripier  Army  Medical  Center  (TAMC)  are 
generally  “Not  Good”,  but  getting  somewhat  better 

-  Different  image  storage  format 

-  Different  image  compression  ratio 

-  Corrupt  information  on  the  platter 

-  Low  vendor  support 

Next  steps 

•  \Ne  need  a  more  standard  approach  to  storing,  protecting  and  managing  patient 
image  data;  such  that  the  long  term  PACS  archiving  and  management  process  is 
independent  of  proprietary  vendor  protocols,  lengthy  data  migration  activities, 
and  related  contractual  challenges. 

•  Medical  images  must  be  protected,  preserved,  and  readily  available  throughout 
the  continuum  of  care. 
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MCIM  Research  Workbench:  Committed  to  Science  and  Accelerating  Development 

Terry  Yoo,  PhD,  NLM/NIH 


Issues 

•  Multi-center  image  management  is  comparative  exploration,  reduces  redundancy 
of  research,  enforce  good  research  practices,  and  share  ideas 

•  Requirements  for  accelerating  discovery  include  team  science,  lowering  barriers 
and  entry  costs,  enabling  (enforcing)  repeatable  results  and  eliminating  oversight 
through  transparency 

•  Academia  improves  communication,  participation,  reproducible  science  and  can’t 
sequester  results  (ex,  GenBank) 

•  Industry  accelerates  technology  transfer,  expedites  incorporation  of  new 
research,  eases  staffing  and  employment,  does  not  compete  with  product 
development  and  can’t  gain  exclusive  rights  to  algorithms  (ex,  Osirix) 

•  Government  improve  accountability,  reduce  redundancy,  and  increases  impact  of 
funding 

•  Open  source  initiatives  encourage  high-level  technical  communication,  provide 
conventions  for  inter-operable  software  development,  establish  a  baseline  for 
improvement,  opens  the  field  to  “beginners”,  and  creates  common  ground  for 
product  development 

•  NLM  committed  to  open  source/  open  data  for  the  last  10  years  and  funded  the 
ITK  $12  million  over  5  years.  It  is  the  time:  We  have  commodity  network  and 
commodity  computing  there  is  opportunity  for  scientific  discovery  and  shared 
engineering 

•  MCIM  research  workbench  is  beyond  clinical  trials,  beyond  software 
development,  beyond  inexpensive  PACS.  It  is  “Grand  unification”  across  scale 
and  domain. 

•  Business  Model  Consortium  :  Not  too  small  community,  start  with  a  medium 
community  and  grow  to  an  international  movement 

Challenges 

•  Make  policy  changes  emphasizing  visualization 

•  Long  term  recommendation 

•  Create  collaborative  programs 

•  Investment  in  the  future 

•  National  investment,  and  open  source  software  and  open  data  collections 

Next  steps 

•  Extreme  programming  and  daily  testing  is  the  key  for  success 

-  Testing  anchors  and  drives  the  development  process  (Dart) 

-  Opens  up  the  development  process  to  everyone 

-  Developers  monitor  the  testing  dashboard  constantly 

-  Problems  are  identified  and  fixed  immediately 

-  Developers  receive  e-mail  if  they  “break  the  build” 
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The  Digital  Medical  Record:  Promise  and  Peril 

Michael  J.  Pentecost,  MD  ,  Kaiser  Permermanente 

The  advent  of  the  electronic  medical  record  (EMR)  improves  patient  safety  and 
prevents  clerical  mistakes  as  well  as  miscommunication  between  radiologists 
and  physicians.  Also,  integration  of  EMR  data  from  multiple  medical  practices 
facilitates  surveillance  for  potential  epidemiological  threat.  EMRs  are  expected  to 
streamline  business  practices  through  simplified  medical  record  access, 
improved  workflow,  enhanced  coding  and  charge  capture,  faster  claims 
submission  and  limited  redundancy.  In  spite  these  benefits,  some  challenges 
have  impeded  the  dissemination  of  EMRs  such  as  lack  of  standards  and 
inconsistent  integration  with  clinical  workflow  coupled  with  concerns  about 
privacy  and  cultural  acceptance.  In  order  to  achieve  seamless  integration  of 
clinical  and  radiology  information  within  and  across  the  hospital,  the  existing 
standard  such  as  HL7,  DICOM  and  SNOMED  should  be  fully  integrated, 
especially  at  the  level  of  small  practices.  (Source:  Journal  of  the  American 
College  of  Radiology). 


Issues 

•  The  integrated  electronic  medical  record  (EMR)  improves  patient  safety  and 
prevents  clerical  mistakes  as  well  as  miscommunication  between  radiologists 
and  physicians. 

Challenges 

•  Health  Connect  is  Epic  version  of  Kaiser  Permanente  electronic  medical  record. 

It  improves: 

-  Integration:  single,  comprehensive  medical  record  with  provisions  of 
information  including  past  visits,  lab  results,  radiology  reports, 
immunization  records,  medications  and  allergies. 

-  Clinician  access:  24/7  complete  access  to  patient  information 

-  Patient  access:  on-line  access  to  medical  records  and  service  such  as 
email  physicians,  prescriptions  refill,  lab  results  review,  health  information 
research,  and  appointment  scheduling 

-  Efficiency:  physicians  can  provide  medication,  order  lab  work,  radiology 
and  provide  referrals  from  single  system  at  point-of-service  and  eliminate 
redundant  entry  and  it  improves  advanced  care  planning  (simple 
registries,  reminder  systems,  protocols,  etc.) 

-  Safety:  system  alerts  support  patient  care  by  catching  abnormal  results, 
negative  trends,  patient  history,  chronic  problems,  and  drug/procedure 
combinations 

Next  steps 

•  A  program-wide  system  that  integrate  the  clinical  record  with  appointments, 
registration  and  billing  will  enhance  the  quality  of  patient  care 

•  In  order  to  achieve  seamless  integration  of  clinical  and  radiology  information 
within  and  across  the  hospital,  the  existing  standard  such  as  HLY,  DICOM  and 
SNOMED  should  be  fully  integrated,  especially  at  the  level  of  small  practices. 
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User  Centered  Innovation  beyond  Open-Source  Software 

Donald  P.  Harrington,  MD,  MA,  NIBIB/NIH 

The  open  source  movement  is  evolving  from  a  software  development  process  to  cultural 
phenomenon.  Within  the  NIH  and  other  government  agencies,  the  demand  for  open  access 
for  taxpayer  funded  projects  and  the  need  for  quality  and  performance  in  mission  critical 
applications  is  leading  to  an  increased  demand  for  open  source  solutions.  While  the  primary 
focus  of  the  NIH  is  research,  an  important  component  of  the  institute’s  mission  is  translational 
research  for  clinical  applications.  A  variety  of  software  developed  for  research  purposes  is 
translatable  to  clinical  applications  and  there  is  no  better  place  to  start  than  in  clinical  imaging. 
While  open  source  software  is  a  key  factor,  another  critical  aspect  of  the  equation  is  user- 
centered  development.  Therefore,  a  solution  to  the  multi-institutional  image  management 
dilemma  is  a  combination  of  both  aspects.  This  presentation  focuses  on  open  source  and  the 
critical  needs  of  the  end  user.  While  the  issues  of  intellectual  property  rights  and  business 
model  are  important  to  the  overall  success  of  the  open  source  movement,  it  is  peripheral  to 
the  end  user.  The  end  user  needs  innovation,  flexibility,  quality  and  performance.  Important 
critical  issues  include  funding  sources,  governance,  leadership  and  sustainability. 


Issues 

•  There  is  clearly  a  need  to  consolidate  and  scale  up  various  open  source  research 
efforts  and  develop  an  open  clinical  imaging  system  to  support  MCI  needs  with 
end  user  focus 

•  Open  source  movement  is  progressing  from  software  development  to  cultural 
phenomenon 

•  The  end  product  is  much  better  when  developer  and  end  user  are  the  same 

•  There  are  currently  sustainable  business  models  using  OSS 

•  The  government  is  using  OSS  even  in  mission  critical  applications 

Key  factors 

•  Controlled  and  verifiable  process  for  software  development 

•  Identifiable  entity  that  certifies  process  and  will  audit  and  follow  up  on  post 
marketing  issues 

Next  steps 

•  Intellectual  property  rights  is  remaining  as  a  controversial  issue 

•  Liability  issues  are  unclear 

•  FDA  approval  of  OSS  is  no  different  than  proprietary  software 

•  Current  solutions  are  not  suitable  for  existing  average  user 

•  Unanswered  questions  include: 

-  Can  the  existing  process  scale  to  clinical  imaging? 

-  Which  organization  or  consortia  of  organizations  can  provide 
governance? 

-  Who  will  pay  for  the  process? 

-  Differing  business  models  concerning  open  source 

-  What  is  the  government/NIH  position  on  the  subject  and  why  does  it 
matter? 

-  What  is  an  open  source  community  and  why  do  they  work? 
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Market-Wide  PACS 

In  K.  Mun,  PhD,  Aventura  Hospital  and  Medical  Center 

The  strategy  of  PACS  implementation  has  gone  through  several  revisions 
recently.  It  started  it  out  as  a  radiology  centric  system  to  be  managed  by 
radiology  department.  Due  to  the  complexity  of  network  and  storage  issues  as 
well  as  interface  required  to  HIS,  IS/IT  department  support  was  essential  for  a 
successful  PACS  project.  However,  due  to  the  success  of  multi-slice  CT 
scanners,  high  performance  MRI  scanners,  digital  X-ray  and  digital  cath  labs,  we 
have  seen  huge  increase  in  data  volume  forcing  volumetric  image  viewing  as 
well  as  demand  for  enterprise-wide  image  distribution.  With  the  cost  of 
communication  dropping  along  with  shortage  of  radiologists,  we  are  now 
witnessing  next  evolution  of  implementing  multi-hospital  PACS,  or  market-wide  / 
regionalized  PACS.  This  presentation  will  focus  on  the  new  trend  in  market¬ 
wide  PACS  implementation  and  what  are  the  potential  impacts  on  radiology  as 
well  as  hospital  management. 


Issues 

•  Current  PACS  issues  are  emerging  new  devices  such  as  64  siice  CT,  Digitai 
Cath  Lab,  Digitai  Mammo,  standardization  between  DICOM  and  HL7,  integration 
between  radioiogy,  cardioiogy,  PDA  and  RFID,  patient  safety,  evidence  based 
medicine,  performance  based  payment  and  Regional  Healthcare  Information 
Organization 

•  Management  issues  such  as  selecting  vendor,  installation,  maintenance  &  up¬ 
grade,  support 

•  Clinical  issues  figuring  out  core  requirements,  conflict  between  radiologists  & 
cardiologists  and  ER  &  OR 

•  Budgeting  issues  regarding  how  to  set  a  budget 

•  CEO  issues  like  competitive  tool  and  liability 

Challenges 

•  Market-based  PACS  can  reduce  cost  by  sharing  resources,  provide  easier  to 
manage  mobile  patients  and  better  coverage  by  specialists,  optimize  radiology 
resources,  improve  patient  safety,  and  lower  communication  cost. 

•  Market-based  PACS  models  include  one  large  centralized  database  with  a 
governing  body,  assemble  distributed  data  with  API  functionalities,  and  share 
distributed  data  under  peer-to-peer  federated  architecture 

Next  steps 

•  Resolving  outstanding  question  such  as: 

-  Sustainability 

-  Who  is  in  charge 

-  Organization  (IT  structure) 

-  Scalability 
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Filling  the  Gaps  with  Open  Source  IHE  Tools 

David  S.  Channin,  MD,  Northwestern  University 

This  presentation  is  an  overview  of  the  typicai  ciinicai  and  research  imaging 
environment.  Gaps  in  meeting  ciinicai  and  research  needs,  identified  in  other 
presentations,  are  highiighted.  The  integrating  the  Heaithcare  Enterprise  initiative 
is  introduced  and  the  iHE  modei  for  radioiogy  operations  expiained.  A  modei  for 
fiiiing  the  identified  gaps  using  open  source  iHE  actors  is  presented. 


Issues 

•  No  singie  vendor  can  meet  ait  needs,  difficuit  to  depioy  best-of-breed 

•  Compiex  processes  invoiving  heterogeneous  systems 

•  Standards  are  necessary  but  not  sufficient 

•  Data  trapped  in  proprietary  siios 

•  Commerciai  systems  are  not  toois,  toois  can  be  used  for  purposes  that  the 
creator  did  not  envision 

•  Commerciai  systems  do  not  innovate  or  iterate  rapidiy,  focus  on  mundane 
requirements  of  the  eariy  and  iate  majority 

Challenges 

•  iHE  defines  use  cases  and  workfiows 

-  Locai  site  workfiows:  knowiedge  from  “The  Lab"  workfiow  feeds  “The 
Ciinicai”  workfiow 

-  Gather  sites  into  federated  regionai  operations  (RHiOs) 

-  Gather  RHiOs  into  federated  nationai  networks  (NHiN),  perhaps 
coordinated  by  nationai  agencies  (NLM?) 

•  iHE  heips  fiii  the  gap  in  innovation  by  choreographing  transactions  between  actors 
via  standard  protocots  to  address  reai  worid  use  cases.  This  inciudes  interoperabiiity 
between  ciinics,  and  RHiOs 

Next  steps 

•  There  are  many  iHE  actors  that  are  not  yet  avaiiabie,  in  particuiar  the  reporting 
workfiow  -  iet’s  buiid  them  using  Open  Source  methodoiogies? 

-  Sniff  aii  DiCOM  and  HL7  interactions,  to  create  repiicated  DBs 

-  Use  Protege  ontoiogy  engine  to  recognize  transactions 

-  Use  the  transactions  to  drive  iHE  workfiow  engine,  inciuding  reporting 

-  This  couid  be  used  to  both  drive  ciinicai  as  weii  as  research  workfiow,  and 
aiiows  the  introduction  of  new  toois 

-  incorporate  feedback,  for  quaiity  improvement,  from  other  med  speciaities 
(e.g.  pathoiogy) 
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The  RSNA  MIRC  Application  -  An  Open  Source  Management  System  for  Teaching 
Files  and  Multi-Center  Clinical  Trials 

John  Perry,  Radiological  Society  of  North  America 

Medical  Imaging  Resource  Center  (MIRC)  is  an  open  source  initiative  of  the  RSNA  to  provide 
tools  to  radiology  in  support  of  teaching  files  and  clinical  trials.  MIRC  is  implemented  as  a 
peer-to-peer  system  that  facilitates  the  sharing  of  information  in  a  community  of  systems  world 
wide.  This  paper  describes  the  architecture  of  the  MIRC  system  and  details  its  use  in  multi¬ 
center  clinical  trials,  including  lessons  learned  with  respect  to: 

-  Architectural  concerns  in  multi-center  trials:  the  topology  of  a  multi-center  trial 

-  Software  installation  at  imaging  centers:  the  remote  IT  problem 

-  Software  configuration:  managing  software  and  configuration  updates 

-  Anonymization  and  pseudonymization:  central  vs.  distributed  remapping 

-  Data  formats:  beyond  DICOM 


Issues 

•  RSNA’s  MIRC  objectives  are  global  sharing  of  digital  teaching  files,  scientific,  technical, 
and  educational  materials  and  research  datasets  of  original  format  images 

•  Lessons  from  field  centers  include 

-  IT  support  is  almost  unavailable. 

-  Initial  software  installation  requires  a  human  being,  but  it  should  be  simple. 

-  Software  updates  should  require  a  person  to  trigger  them. 

-  Anonymizer  scripts  should  be  automatically  updated. 

Challenges 

•  MIRC  provides  global  sharing  of  data,  educational  materials,  etc. 

-  Cooperating  libraries  with  a  common  query  mechanism 

-  MIRC  specifies  how  to  find  and  access  documents 

-  There  are  8  independent  implementations  of  MIRC,  including  the  RSNA 
implementation 

•  MIRC  provides  data  collection  for  clinical  trials 

-  Collect  data  with  PHI  on  site  with  Field  Center 

-  Optionally  anonymize  and  send  to  central  MIRC  site 

-  MIRC  site  then  distributes  data  via  DICOM  and/or  an  external  DB  connection 

-  Complications: 

o  Trial  subject  registration/mapping  to  patient  ID 
o  Multiple  Pis 

o  Separate  Pis  for  imaging  and  overall  trial 
o  Transfer  of  non-image  objects 

o  Separate  analysis  sites  (not  Pis)  that  retrieve  data,  and  return  results 

•  Can  MIRC  tie  into  IHE? 
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Multimedia  Infrastructure  Issues  in  Grid  Environments 

Eugen  Vasilescu,  PhD  ,  Georgetown  University 

Large  databases  of  (clinical)  images  are  being  created  and  the  need  to  share 
information  is  accepted  by  all  healthcare  stakeholders,  including  practitioners, 
patients,  vendors  and  researchers.  Sharing  information  through  point-to-point 
interfaces  is  a  known  dead-end.  There  is  a  need  to  effectively  bridge  the  potential 
image  islands  in  a  standardized  manner  and  Grid  Environments  offer  the  promise 
of  standardized  flexible  support  in  (multimedia)  distributed  environments. 


Issues 

•  Clinical  images  are  getting  larger  and  needs  to  share  information  across  all 
healthcare  stakeholders  including  practitioners,  vendors  and  researchers  are 
growing 

•  Need  to  integrate  the  distributed  images  in  a  standardized  manner 

Challenges 

•  Grid  offers  flexible  support  of  distributed  environments 

•  Handle  binary  data  as  an  attachment  above  a  certain  size  threshold 

-  By  reference  as  URI 

-  By  value  by  SOAP  (SwA)  or  l/l/S  attachments 

•  In  relation  to  IHE,  GRID  need  the  right  granularity  of 

-  what  to  move  around 

-  what  is  a  good  logical  view 

-  the  use  cases  that  are  multi-center 

•  Chatty  exchange  of  messages  is  not  very  good  for  GRID,  so  IHE  and  related 
protocols  may  need  adjusting 

Next  steps 

•  Need  to  define  scope  of  multi-center  collaboration,  what  is  the  nature  of  the 
virtual  organization?  Do  we  need  to  create  them  on  the  fly? 

•  Grid  provides  a  standardized  way  of  dealing  with  state  (in  WSRF  in  GT4),  but 
what  is  its  role  in  MCIM? 

-  Notification  of  state  changed 

-  State  maintenance  over  days  instead  of  minutes 

-  Backup/Recover 

-  Link  unavailability 

•  Lots  of  issues,  but  there  is  a  ‘critical  mass’  of  tools  available  to  tackle  MCIM. 
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Practical  Challenges  in  a  Heterogeneous  Global  PACS  Architecture 

Peter  Killcommons,  MD,  MedWeb 

MedWeb  has  had  the  opportunity  to  develop  architecture  to  manage  the  imaging 
workflow  across  a  global  organization.  This  presentation  provides  insight  into  the 
impact  of  firewalls,  intrusion  detection  systems,  and  multi-domain  security  issues 
from  an  IT  perspective,  acceptable  user  interface  performance  from  a  clinical 
practitioner’s  perspective,  and  real  world  accounting  of  the  frequency  and  types 
of  problems  typically  encountered  in  this  environment.  These  include  political, 
technical,  and  architectural  problems  as  well  as  some  suggested  solutions. 


Issues 

•  Integration  and  deployment  of  heterogeneous  PACS 

-  High  turnover  rate  of  personnel 

-  Variety  of  computing  backgrounds 

-  Require  rigorous  training  on  new  replacement 

-  Require  good  installation  and  operational  manuals 

•  Heterogeneous  issues 

-  Mobile  PACS  with  satellite 

-  Networking  (including  security,  encryption) 

-  IT  integration  with  other  vendors 

•  5-6  connectivity 

•  Shared  unread  worklist 

•  Conformance  statements  vs.  real  implementation 

-  Administration  (network,  user  training,  s/w,  h/w) 

-  Clinical  expectation 

-  Multi-vendors  cooperation 

-  Configuration  management 

-  Deployment 

-  Using  open  source  to  build  PACS 
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Building  an  Open  Source  Platform:  A  Case  Study  from  Mac  OS  X  and  Apple 

Ernest  Prabhakar,  PhD,  Apple 

This  presentation  describes  how  Open  Source  and  Open  Standard  technologies  have 
helped  make  Mac  OS  X  the  world's  most  advanced  operating  system,  and  Apple  the 
world's  largest  vendor  of  open  source  software.  He  discusses  the  advantages  and 
challenges  of  building  a  platform  using  open  source,  and  describe  key  Apple 
technologies  of  relevance  to  the  PACS  community. 


Open  Source  Imaging  Tools 

Rick  Avila,  Kitware,  Inc. 

Healthcare  researchers  and  commercial  solution  providers  are  increasingly  utilizing  open 
source  toolkits  to  develop  advanced  clinical  imaging  solutions.  The  Visualization  Toolkit 
(VTK)  and  the  Insight  Toolkit  (ITK)  represent  two  large,  mature,  and  globally  utilized 
toolkits  that  provide  state-of-the-art  imaging  architectures  and  algorithms  to  application 
developers.  VTK  provides  a  wide  range  of  advanced  multi-dimensional  visualization 
algorithms  including  volumetric  reformat,  volume  rendering,  and  geometric  surface 
rendering  algorithms.  ITK  provides  advanced  image  processing  algorithms,  with  a 
particular  emphasis  on  medical  image  segmentation  and  image  registration  algorithms. 
VTK  and  ITK  were  developed  with  a  strong  emphasis  on  advanced  computing 
technologies  and  software  quality.  The  C++  software  architecture  of  these  toolkits  has 
evolved  over  the  years  to  support  a  wide  range  of  advanced  algorithms  and  computing 
technologies  including  parallel  computing.  In  addition,  several  computational  tools  and 
utilities  have  been  developed  that  facilitate  the  global  development  of  a  high  quality 
toolkit  including  a  cross-platform  build  tool  called  CMake  and  a  software  quality 
dashboard  called  DART.  These  open  source  imaging  toolkits,  and  their  supporting  tools 
and  utilities,  represent  a  large  and  growing  resource  for  future  open  source  technology 
solutions. 
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Open  Source  Approaches  and  Lessons  Learned  from  Other  Industries 

Walid  G.  Tohme,  PhD,  Georgetown  University 

Open  Source  software  is  becoming  more  widespread  and  open  source  business 
modeis  have  emerged  that  seem  to  be  successfui.  They  inciude  a  service 
approach,  a  iicensing  strategy,  the  aggregator  modei,  a  proprietary  add-on 
approach  and  finaiiy  hardware  buiit  with  open  source  software.  This  presentation 
expiores  these  modeis  with  case  studies  to  iiiustrate  them.  It  remains  to  be  seen 
which  of  these  models  or  which  combination  would  be  appropriate  for  multi¬ 
center  image  management  but  it  is  clear  that  Open  Source  will  play  a  key  part  in 
the  future.  Challenges  to  adoption  and  success  of  Open  Source  are  also 
discussed. 


Issues 

•  What  is  Open  Source?  Does  it  yield  more  benefits  or  incur  fewer  costs  than  other 
options? 

•  What  makes  OS  timely  now? 

•  What  OS  business  models  exist? 

•  How  are  the  traditional  players  reacting? 

•  What  challenges  still  exist? 

•  Which  model(s)  are  appropriate  for  MCIM? 

Challenges 

•  Open  source  is  likely  to  become  the  dominant  model  for  creating  software  to 
improve  the  quality  of  care  in  a  cost-effective  way 

•  Open  Source  is  not  the  end  of  commercial  healthcare  software  suppliers  nor  is  it 
free  software  for  all.  However,  it  will  provide  a  reference  point  and  an  agent  for 
managing  price 

•  Successful  open  source  requires 

-  Well-written  document 

-  No  hidden  functionalities 

-  Full  access  to  source  code 

•  Open  source  license 

-  Unrestricted  (Apache,  BSD) 

-  Restricted  (GPL,  LGPL) 

•  Emerging  open  source  models 

-  Service  and  maintenance  fees 

-  Proprietary  add-on 

-  Dual  licensing  (GPL  vs.  commercial) 

-  Aggregation  of  several  open  source  projects 

-  Embedded  (Linux  on  Tivo) 

Next  steps 

•  What  final  model  will  be  adopted  remains  to  be  seen.  The  key  is  to  find  the 
winning  framework  for  industry,  academia  and  government. 
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A  Case  Study  in  Open  Source  Software:  The  Image-Guided  Surgical  Toolkit 

Kevin  Cleary,  PhD,  Georgetown  University 

Open  source  software  has  tremendous  potential  for  improving  the  productivity  of 
research  labs  and  enabling  the  development  of  new  medical  applications. 

The  Image-Guided  Surgery  Toolkit  (IGSTK)  is  an  open  source,  cross  platform,  software 
toolkit.  IGSTK  integrates  the  basic  components  needed  in  surgical  guidance  applications 
and  provides  a  common  platform  for  fast  prototyping  and  development  of  robust  image- 
guided  applications.  This  presentation  will  give  an  overview  of  the  IGSTK  framework  and 
current  status  of  development  including  an  example  needle  biopsy  application.  \Ne  will 
also  discuss  the  state  machine  architecture  and  the  software  development  "best 
practices"  used  in  the  project.  This  project  has  been  a  collaborative  effort  between 
Georgetown  University,  Kitware  Inc.,  Atamai  Inc.,  and  Arizona  State  University.  The 
work  is  supported  by  the  National  Institute  of  Biomedical  Imaging  and  Bioengineering  at 
the  National  Institutes  of  Health. 

Issues 

•  Software  is  a  critical  component  for  image-guided  surgery;  however  software 
development  takes  the  most  time  in  these  systems. 

•  It  is  difficult  to  develop  robust  software 

•  Medical  researchers  are  not  necessarily  software  professionals 

Challenges 

•  Image-guided  Software  Toolkit  (IGSTK)  aims  to  provide  common  functionality  for 
image-guided  surgery  applications 

•  Initial  release  at  SPIE  Medical  Imaging  Conference  in  February  2006 
(http://public.  kitware.  com/I  GS  TKWIKI/index.php/Main_Page) 

•  A  robust  software  development  for  IGSTK 

•  BSD  license,  features  of  2D/3D  visualization,  several  image  registrations,  GUI, 
error  capturing,  logging,  APIs 

•  Project  measurement 

-  Competent  people 

-  Constant  communication 

-  Producing  iterative  release 

-  Managing  source  code  from  a  quality  perspective 

-  100%  code  testing  coverage 

-  Building  and  testing 

-  Software  process  with  robust  tools 

-  Focusing  on  current  requirements 
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The  Open  Three  (03)  Consortium  Project 

Paolo  Inchingolo,  PhD,  University  of  Trieste 

Born  from  the  fusion  and  the  integration  of  the  DPACS  project  (1995)  of  the 
University  of  Trieste  and  the  Raynux  /MARiS  project  (2002)  of  the  University  of 
Padova,  the  Open  Three  Consortium  (03)  is  an  innovative  Project  of  these  two 
Universities,  in  the  frame  of  international  networks  ABIC-BME  and  ALADIN  and 
of  the  about  50  bilateral  cooperation  Agreements  of  the  Higher  Education  in 
Clinical  Engineering  (HECE),  University  of  Trieste,  with  Healthcare  and  Industrial 
Enterprises  as  well  with  Governmental  Agencies.  These  Agreements  are  the 
bases  of  the  03  Consortium  Community  of  Users,  which  counts,  up  today,  03 
installations  in  five  Italian  Regions  and  running  installations  in  many  other 
countries. 

The  goals  of  03  are  archiving,  transmission,  exchange,  retrieval  and  visualization 
of  data,  signals,  images  and  reports,  within  an  integrated  hospital-territory-citizen 
system.  All  03  systems  can  be  scaled  at  any  range,  up  to  national  and 
international  dimensions.  03  is  developed  completely  as  Open  Source  and  with 
Java  technology,  to  facilitate  its  re-use  and  portability,  fostering  a  wide  diffusion 
in  Italy  and  abroad. 

It  is  fully  data-base,  OS,  HW  and  language  independent,  and  100%  compliant 
with  the  world-wide  interoperability  initiative  “Integrating  the  Healthcare 
Enterprise”  (IHE). 

03’s  “bricks”  are  built  according  to  IHE  “Actors”.  03’s  information  flows  are  totally 
compliant  with  IHE  Integration  Profiles.  Currently,  03  offers  19  IHE  actors  and  15 
IHE  profiles,  totalling  53  actors/profiles  couples. 

The  03  Enterprise,  a  spin-off  from  the  two  Universities,  it  now  being  constituted, 
to  offer  services  of  implementation,  management,  customization  and  integration 
to  the  healthcare  enterprises  in  Italy  and  abroad. 

Challenges 

•  The  Open  Three  (03)  consortium  project  is  coiiaboration  between  University  of 
Triest  and  University  of  Padova. 

•  Rooted  from  DPACS  and  MARiS 

•  Merge  open  source 

-  Technoiogies 

-  Ciinicai  and  technoiogicai  standards 

•  DICOM 

•  HL7 

-  Framework 

•  IHE 

•  The  mission  is  to  promote  an  integrated  three  dimensions  of  the  Health  Policies. 

-  Hospital 

-  RHIOs 

-  Home  care 

•  Software  is  independent  of  platform,  database,  operating  system,  and  languages 

•  Architecture  is  based  on  IHE  actors. 

•  Workflow  is  based  on  IHE  Integration  Profiles. 

•  19  actors  and  15  profiles  implemented 

•  Participate  IHE  connectathon  2005  and  2006 


52 


Industry  Panel  Pearls  of  Wisdom 

Issues 

•  PACS  transition  from  siios  into  open  systems/open  source  is  about  integrating 
heterogeneous  architecturai  siios  into  a  coherent  homogeneous  environment. 

•  Migration  from  iegacy  architecture  into  MCIM  architecture/modei  costs 
tremendousiy  to  making  the  uitimate  soiution  up  front.  An  interim  cost  and 
ciinicaiiy  effective  approach  to  impiement  needed  changes  required. 

•  Ciinicaiiy,  imaging  modalities  including  dermatology,  pathology,  and  oncology 
need  to  be  addressed  in  consistent  manner  that  radiology  and  cardiology  are 
currently  managed  and  protected. 

•  Meta-data  must  be  registered  and  managed  from  the  enterprise  level  to  improve 
healthcare  delivery  process  and  efficiency  across  the  continuum. 

•  Target  should  be  towards  “personalized  medicine"  rather  than  “median  medicine" 
approach  (where  shotgun  testing  is  done  and  then  evaluated). 

•  Vendors  must  allow  decoupling  or  fragmentation  of  their  package  so  that 
customers  will  have  greater  flexibility.  (Customer  driven  activity  during  the 
procurement  process). 

•  Distributed  health  care  model  is  needed  rather  than  centralized,  however  there  is 
some  argument  that  both  are  needed  in  a  balance  for  success. 

•  “Maria  Gonzalez  Syndrome"  problem  is  solved  with  I  HE,  it  just  hasn’t  been 
implemented.  Need  “scheduled  Patient  ID  Reconciliation" implemented  to 
automate  the  process. 

Challenges 

•  Open  source  approach  can  reduce  significant  development  time  and  costs  by  not 
having  to  build  entire  product  from  scratch,  and/or  purchase  proprietary  software. 

•  Open  source  collaboration  is  critical  to  distributed,  cost  effective  development. 

•  Internet  should  be  a  model  to  “flatten  healthcare"  in  terms  of  efficiency  and 
quality  (equates  to  cost,  time  to  delivery,  and  enhanced  quality). 

•  Education/marketing  of  clinical  requirements,  standards  and  related  costs  to  the 
IT  organizations  is  critical. 

•  There  are  barriers  and  gaps  between  end  user  and  product  development.  “Listen 
to  the  customer”. 

-  “Bottom  up”  via  users’  groups 

-  “Top  down”  from  work  with  I  HE  and  other  professional  groups 

-  “Sideways  across”  via  collaboration  with  distributed  pool  of  open  source 
developers  (“Co-Laboratory”) 

•  There  are  difficulties  with  using  the  co-laboratory  approach  for  development  on 
live  clinical  systems.  There  must  be  parallel  test  and/or  development  systems  in 
place  to  avoid  disruption  of  clinical  workflows/operations.  Ideally,  test  systems 
should  be  used  against  the  clinical  data  set 

•  Use  Standards  Organizations  to  guide  development 

Next  steps 

•  Industry  must  be  leveraged  to  build/implement  IHE.  The  customers  must  drive 
this  in  their  procurement  instruments.  However,  must  have  a  broader  view  of 
requirements  to  include  smaller,  more  rural  facilities/enterprises. 

•  Educate  IT  on  Radiology/Clinical  Requirements  -  Get  into  HIMSS 

•  Build  IHE  into  procurement  requirements  in  RFPs,  -  and  be  specific;  -  perhaps 
require  conformance  statements  from  manufacturers 
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•  Look  at  previous  efforts  and  other  industries  outside  of  medicai  for  soiutions;  - 
e.g.  pharmaceuticai  industry,  banking  industry  to  speed  time  to  market  and 
reduce  costs  for  industry  and  customers. 


54 


Mind  the  Gap! 

Michael  J.  Ackerman,  PhD,  NLM/NIH 

Issues 

•  Significant  barriers  for  open  data  and  iiterature 

•  Concerns  about  the  GAP  between  the  grant  and  production  fiiiing  because 

open  software  not  free 

•  $  over  4  years  for  deveiopment 

•  $  year  for  sustaining 

-  Future  deveiopment  cost 

-  Distribution  cost  inciuding  acknowiedgment  of  inteiiectuai  property  issues 

-  Heip  desk  cost 

-  Test  costs 

Challenges 

•  Look  at  previous  experiences  with  other  successful  open  source  (Apache,  ITK, 

Linux,  Biomed  Central) 

Next  steps 

•  Pian  for  becoming  seif  sustaining  shouid  be  part  of  the  grant  proposai  or  originai  pian 

•  Eariy  adoption  of  a  business  modei 

•  Diversification  pian  for  open  source  projects 
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Triple  Helix  Model 

Conrad  Clyburn.  TATRC 

The  U.S.  Army  Medical  Research  and  Materiel  Command  (USAMRMC), 
Telemedicine  and  Advanced  Research  Center  (TATRC)  is  responsible  for  life 
cycle  management  of  over  500  medical  research  and  development  programs, 
with  a  2005  budget  of  approximately  $.  The  Center’s  research 
responsibilities  extend  to  execution  of  academic,  government  and  industry 
programs  in  telemedicine,  medical  informatics,  advanced  surgical  technology  and 
imaging,  bioinformatics,  medical  modeling  and  simulation,  biosurveillance, 
robotics,  biomaterials,  tissue  engineering  and  nanotechnology.  TATRC 
programs  have  produced  a  number  of  technologies  that  are  in  use  by  U.S. 
service  members  in  the  United  States  and  overseas,  by  other  federal  agencies, 
and  the  White  House  medical  unit.  In  addition,  TATRC  programs  have 
generated  hundreds  of  peer  reviewed  medical  articles,  scores  of  invention 
disclosures  and  patent  filings,  and  dozens  of  patent  licenses  and  spin  off 
businesses.  This  presentation  will  review  advanced  imaging  and  Picture 
Archiving  and  Communications  Systems  (PACS)  programs  relevant  to  Multi- 
Center  Image  Management  (MCIM),  and  how  TATRC  uses  Triple  Helix 
strategies  involving  academia,  industry  and  government  to  accelerate  technology 
implementation. 


Issues 

•  General  inability  to  translate  medical  innovation  to  clinical  use  in  federal  as  well 
as  private  sector 

•  Increased  investment  in  medical  research  and  development  (JAMIA  reported  that 
medical  research  funding  was  doubled  to  $  from  1994  to  2003 

•  Best  role  for  government  is  to  spend  its  R&D  money  in  early  development  stages 
to  influence  industry’s  future  direction  to  meet  government  needs,  reduce 
industry’s  technical  risks  and  speed  time  to  market 

•  Modifying  commercial  products  to  meet  government  needs  can  be  expensive; 
locks  in  obsolescence  and  poor  return  on  investment 

Challenges 

•  Telemedicine  and  Advanced  Medical  Technology  Program  aims  to  apply 
physiological  and  medical  knowledge,  advanced  diagnostics,  simulations,  and 
effector  systems  integrated  with  information  and  telecommunications  for  the 
purposes  of  enhancing  operational  and  medical  decision-making,  improving 
medical  training,  and  delivering  medical  treatment  across  all  barriers. 

•  Projected  FY05  funding  is  $ 

•  Core  research  leads  to  transformational  technologies  are  directed  energy, 
robotics,  nanotechnology,  immersive  VR  environments  and  biotechnology 

•  Typical  TATRC  Triple  Helix  Consortium  is  between  academia,  government  and 
industry  (Ex.  BMIS-T,  Chest  Tube  Simulator,  Digital  X-ray,  Dreams  Digital 
Ambulance,  Smallpox  Inoculation  Training  Unit,  Medical  Robotics,  BRSS,  STAT- 
Care  and  Retinal  Imaging) 


56 


An  FDA  Perspective 

Alford  Taylor,  Jr.,  CDRH/FDA 

Issues 

•  CDRH  mission  is  to  protect  and  promote  the  pubiic  heaith  by  ensuring  the  safety 
and  effectiveness  ofmedicai  devices 

•  The  reguiatory  reviewer’s  chaiienges  are  how  weii  it  need  to  work  or  how  bad 
can  it  be  and  stiii  be  acceptabie 

Challenges 

•  Retrospective  vaiidation  couid  be  characterized  as  an  augmented  vaiidation 
effort,  incorporating  aii  the  checks  and  baiances  that  wouid  have  been  a  part  of  a 
comprehensive  design  controi  process 

-  Detaiied  requirements  documents 

-  Top-down  and  bottom-up  risk  anaiyses,  risk  evaiuations,  and  risk  controi 
decisions 

-  Comprehensive  software/systems  V&V 

-  Ciinicai  vaiidation  of  the  system 
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NCI  Resource  for  Assessment  of  Open  Source  Tools 

Larry  Clarke,  PhD,  NCI/NIH 

Challenges 

•  NCI  caBIG  Imaging  Workspace  is  recently  formed  one  that  employs  open  source 
to: 

-  Promote  standards  for  image  mark-up/annotation. 

-  Encourage  development  of  reference  images  and  software  standards  for 
evaluation  of  software  tools  and  data  integration  tools 

-  Software  for  validation  of  imaging  systems/platforms  including  simulation 
methods 

-  Grant  support  through  caBIG  and  NCI  PAR’S 

•  NCI  research  opportunities  emphasis  include  an  open  source  platforms  and 
software  tools 

-  Reference  image  data  bases  required 

-  Standardized  methods  for  image  annotation  and  mark  up. 

-  Objective  and  reproducible  means  to  compare  the  performance  of 
software  tools 

Next  steps 

•  The  early  potential  of  open  source  tools  may  be  the  greatest  for  image 
annotation  and  other  tools  necessary  for  validation  of  imaging  systems  and 
methods. 

•  Open  source  tools  that  are  application  specific  pose  problems  in  terms  of  their 
assessment  prior  to  use  in  clinical  investigations 

•  FDA  approval  and  CMS  reimbursement  may  pose  problems  if  non  standardized 
methods  for  their  performance  are  used. 
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The  United  States  Measurement  System:  Roadmapping  America's  Measurement 
Needs  for  a  Stronger  Innovation  Infrastructure 
Richard  N.  Spivack,  PhD 
NIST 

Abstract 

Critical  diagnostic  and  clinical  standards  and  techniques  are  required  for  the  evaluation 
of  medical  images,  medical  imaging  devices  (includes  both  image  acquisition  devices 
such  as  digital  cameras  and  microscopes,  and  display  devices  such  as  CRTs  and  LCDs), 
the  evaluation  of  computer  assisted  diagnostic  (CAD)  tools,  and  the  effects  of 
compression  on  image  quality.  These  evaluation  processes  are  increasingly  critical  as 
new  medical  diagnostic  and  imaging  techniques  become  available  and  as  new  or 
improved  display  technologies  come  into  use.  There  is  also  a  growing  need  to 
communicate  and  render  image  information  across  different  information  display  systems. 
Diagnosticians  in  many  areas  have  integrated  new  imaging  devices  into  their  practice, 
often  without  regard  to  fidelity  issues  that  to  too  many  are  not  particularly  obvious.  Thus, 
it  has  become  routine,  for  example,  for  many  doctors  to  take  images  home  with  them  for 
viewing  in  the  comfort  of  their  homes.  Images  are  routinely  emailed  to  consulting 
physicians  without  regard  to  whether  the  displays  on  which  they  are  viewed  meet 
minimum  performance  standards.  Images  may  be  compressed  for  storage  or  for 
transportation  across  wireless  systems.  Incorrect  rendering  of  a  transmitted  medical 
image  could  lead  to  an  inaccurate  diagnosis  with  potentially  lethal  consequences. 

NIST  explores  the  challenge  and  demands  upon  the  U.S.  Measurement  System  (USMS) 
by  the  new  technologies  and  critical  applications  in  medical  imaging  and  telemedicine, 
and  address  how  the  USMS  should  be  redefined  to  meet  its  role. 

Issues 

•  FDA  approval  and  CMS  reimbursement  may  pose  problems  if  non  standardized 
methods  for  their  performance  are  used. 

Key  features 

•  NIST  builds  partnernership  with  the  telemedicine  community  to  enable  high 
quality  remote  medical  imaging  through  measurement  practices  and  assurance 
procedures:  and,  facilitate  standards  development  and  interoperability  while 
contributing  to  better  health  care  quality. 

•  The  U.S.  Measurement  System  is  the  complex  of  all  methods,  instruments, 
entities,  institutions,  and  standards  involved  in  measurements  of  products  and 
processes  of  significance  to  the  economy,  security,  and  quality  of  life  of  the 
Nation. 

•  NIST  needs  partnership  with  the  public 

•  NIST  have  the  expertise  in  multiple  domains  and  can  provide  help  in 
measurement 

-  Define  the  template  for  data  collection 

-  Collect  input 

-  Conduct  assessments 

-  Create  an  action-plan  roadmap 

-  Report  to  customers  and  stakeholders  on  the  state  of  the  USMS 

•  Current  measurement  needs 

-  Telemedicine  Interoperability-Standards 

-  TeleMental  Health  interactive  video 
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-  Coding  for  Tele-Mental  Health  and  Surgical  Endoscopy 

-  Telemedicine  Digital  Cameras 

-  Telemedicine  Display  Systems 

-  Telemedicine  Imaging  Systems 

-  Remote  Image-based  Medical  Diagnostic  Tools 

Next  steps 

•  NIST  will  focus  its  efforts  in  3  areas: 

-  Biochemistry 

-  BioEngineering 

-  Bioinformatics 
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Peer  to  Peer  Technology 

Osman  Ratib,  MD,  PhD,  Universite  de  Geneve 

With  increasing  requirements  for  wide  access  to  images  inside  large  distributed 
radiology  departments  as  well  as  outside  radiology  departments  in  clinical 
services  it  has  become  difficult  to  provide  adequate  and  efficient  distribution  of 
image  data  with  traditional  centralized  architecture.  We  have  elected  to  explore 
alternative  solution  based  on  peer-to-peer  technology  and  grid  architecture.  The 
goal  is  being  to  allow  users  across  the  enterprise  to  access  any  study  anytime 
without  the  need  for  pre-fetching  or  routing  of  images  from  central  archive 
servers.  Images  can  be  accessed  between  different  workstations  or  local  storage 
nodes. 

We  implemented  a  new  peer-to-peer  and  remote  file  access  technology 
developed  by  Apple  computer  called  “bonjour”  that  is  imbedded  in  the  latest 
UNIX-based  OsX  operating  system  version  10.4.  Bonjour  allows  applications  to 
share  data  and  files  remotely  with  optimized  data  access  and  data  transfer.  Our 
Open-source  image  display  platform  called  OsiriX  was  adapted  to  allow  sharing 
of  local  DICOM  images  through  direct  access  of  a  local  SQL  database  to  be 
accessible  from  any  other  OsiriX  workstation  over  the  network.  A  server  version 
of  Osirix  Core  Data  database  also  allows  to  access  distributed  archives  servers 
in  the  same  way. 

The  performance  of  peer-to-peer  access  to  the  images  was  found  to  be  10  to  20 
X  faster  that  accessing  the  same  date  from  the  central  PACS  archive.  The 
convenience  and  high  performance  of  the  system  allows  multiple  users  to  share 
data  more  efficiently  and  perform  advanced  image  processing  and  analysis  in  a 
distributed  environment.  It  is  particularly  suitable  for  large  hospitals  and 
academic  environments  where  clinical  conferences,  interdisciplinary  discussions 
and  successive  sessions  of  image  processing  are  often  part  of  complex  workflow 
or  patient  management  and  decision  making.  Therefore  we  believe  that  peer-to- 
peer  architecture  connecting  multiple  workstations  and  temporary  storage 
servers  can  provided  an  alternative  system  that  can  complement  traditional 
PACS  infrastructure  and  allow  rapid  and  easy  exchange  of  image  data  among 
large  number  of  user  and  image  processing  workstations.  (Antoine  Rosset, 
Osman  Ratib,  Joris  Heuberger) 

Limitations  of  web-based  image  distribution 

-  Slow 

-  Inefficient  for  large  image  sets 

-  No  reformatting  and  3D  rendering 

-  Limited  image  processing 

-  Restrictive  workflow 

Challenges 

•  Peer-to-peer  data  sharing 

-  Direct  browsing  of  remote  database 

-  Direct  access  to  image  files  on  remote  workstations 

-  Use  of  Bonjour/TCP-IP  protocol  (zero  configuration  network  protocol) 

-  Optimized  random  image  access 

-  Simple  graphic  user  interface  for  image  retrieval  across  multiple  workstations 

-  Simple  to  use  :  Napster/  Kazaa  model 

-  Fast  access 

-  Open  source 
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Issues 


-  Not  HIPAA  compliant  &  Security  issues 

-  Platform  dependant 

-  No  IT  support 

-  Hard  to  experiment  in  a  production  environment 

Recommendations 

-  Use  P2P  as  a  testing  application  ex  teaching  files 

-  Can  be  used  with  anonymized  data  in  research 

-  If  successful,  industry  can  take  the  application  and  make  it  a  product 
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Application  Hosting:  A  Standardized  API  for  Launching  and  Communicating  with 
‘Plug-in”  Applications 

Lawrence  Tarbox,  PhD,  Washington  University  at  St.  Louis 

This  presentation  reports  on  the  activities  of  DiCOM  \NG  23.  Many  of  the  ideas 
were  Jointiy  deveioped  by  the  participants  in  the  WG,  which  inciudes 
representatives  from  GE,  Phiiips,  Kodak,  Agfa,  Siemens,  Grade,  iBM,  Mercury, 
Societe  Francaise  de  Radioiogie,  aiong  with  other  representatives  to  the  DiCOM 
committee. 

Motivation 

•  The  pace  of  research  and  ciinicai  acceptance  couid  be  acceierated  if  anaiysis 
programs  couid  be  run  in  the  ciinicai  setting,  as  part  of  the  ciinicai  workfiow, 
without  time-consuming  movements  of  peopie  and  data  from  H/S  to  H/S. 

Problem 

•  Stakehoiders  in  deveioping  such  agent-specific  anaiysis  appiications  typicaiiy  are 
not  the  vendors/creators  of  the  medicai  workstations 

•  Littie  market  incentive  for  medicai  workstation  vendors 

•  Stakehoiders  do  not  want  to  deveiop  muitipie  versions  of  an  appiication 

Proposed  solutions 

•  Create  a  mechanism  where  appiications  written  by  one  party  couid  be  iaunched 
and  run  on  systems  created  by  muitipie  other  parties 

•  Aiiow  iaunched  appiications  to  efficientiy  access  images  and  other  resources 
controiied  by  the  host 

•  Provide  a  framework  for  exchanging  information  about  those  appiications 

•  Support  both  research  and  ciinicai  environments 

Challenges 

•  Goat  ofDiCCM  WG23  is  to  deveiop  a  standardized  APi  that  runs  on  any  host 
that  is: 

-  Piatform  and  ianguage  independent 

-  Extensibie 

-  Secure 


Issues 

•  impiementations  of  Open  Standard  interfaces  can  be  Open  Source  or  proprietary 

•  impiementations  on  either  side  of  the  interface  need  not  be  created  by  the  same 
entity 

•  interoperabiiity  is  gained  by  adherence  to  the  standard 
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HealthGrid:  Grid  Technologies  for  Biomedicine 

Mary  Kratz,  University  of  Michigan 

Use  of  GRID  technologies  to  support  effective  healthcare  information 
infrastructure  is  a  component  of  national  cyber  infrastructure.  GRID  applications 
in  biomedical  environments  enable  the  creation  and  operation  of  distributed 
communities  across  organizational  boundaries.  Enhanced  collaboration 
environments,  visualization  tools,  computational  resources  and  storage 
capabilities  are  all  GRID  services  upon  which  Virtual  Organization  can  build 
information  infrastructure.  This  emerging  information  technology  infrastructure 
enables  the  creation,  administration  and  management  of  image  based 
biomedical  information. 

A  HealthGRID  is  an  environment  where  data  of  medical  interest  can  be  stored, 
processed  and  made  easily  available  to  the  different  healthcare  participants: 
researchers,  physicians,  healthcare  organizations,  the  public  health  sector, 
healthcare  administration,  individual  citizens  and  other  communities  of 
practice.  If  such  an  infrastructure  were  to  offer  all  necessary  guarantees  in  terms 
of  security,  respect  for  ethics  and  observance  of  standard  regulatory  frameworks, 
it  allows  the  association  of  post-genomic  information  and  medical  data.  The 
possibilities  open  up  new  mechanisms  to  improve  healthcare  across  a  continuum 
of  sectors. 

There  exists  a  common  shared  set  of  protocols  that  allows  the  construction  of 
effective  middleware  software  to  deploy  GRID  services.  A  lack  of  clinical 
feedback  has  resulted  in  a  lag  of  proven  applicability,  but  a  tipping  point  towards 
service-oriented  architectures  (SOA)  in  current  underway.  There  is  a  need  for 
clinical  feedback  to  insure  applicability  and  to  address  performance  issues. 
Shared  experiences  provide  an  effective  approach  to  collaborative  partnerships 
in  the  interplay  between  medical  and  computer  science  expertise. 

Challenges 

•  From  grid  to  HealthGrid: 

-  Many  current  initiatives  in  Grid  computing  applied  to  healthcare  at  the 
national  and  international  levels  (EuroGrid) 

-  Current  efforts  to  develop  standards 

-  The  value  of  virtual  organizations  to  cross  administrative  boundaries 

-  GRID  benefits  are  possible  TODAY  for  Biomedicine 

-  GRID  is  foundation  of  good  Cyber  Infrastructure 

•  Bringing  the  HealthGrid 

-  How  to  integrate  little  science  into  Big  Science  and  globally. 

-  Open  Science 

-  Globus  Toolkit:  Open  Source  Grid  Infrastructure 
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Next  steps 

•  HealthGrid  requires  a  ‘healthy’  GRID 

-  Strong  algorithms 

-  Functional  OPEN  architectures 

-  Data  sharing  needs  as  part  of  a  cultural  shift 

•  Enable  the  ‘incidental  user’ 

-  How  should  a  legislator  find  scientific  basis  before  making  a  decision 

•  Address  access  policies 

-  Storage  Request  Broker  (SRB) 

-  Creative  Commons 

•  Real-time  simulations  and  test  beds  are  needed 

-  Human  capacity  building 
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Network  Security  for  Medical  Devices  &  Systems  Conference 


Arlington  Hilton  Hotel 
Arlington,  Virginia 
June  12-14,  2006 


Abstracts 


Cyber-security  in  Medical  Devices,  Problems  and  related  Guidance;  -  FDA  Perspective 
Brian  Fitzgerald,  Deputy  Director,  Electric  Engineering  and  Software,  FDA 

FDA  has  published  guidance  to  industry  relating  to  the  modification  and  update 
of  certain  aspects  of  computer  controlled  medical  devices.  These  devices  are 
routinely  subjected  to  threats  related  to  unauthorized  intrusion,  malware  and  the 
like.  These  threats  can  only  be  mitigated  by  measures  implemented  within  a 
close  relationship  between  the  COTS  vendors  the  device  manufacturer  and  the 
device  user,  which  protect  the  regulatory  landscape  of  each  member.  A  brief 
discussion  of  the  problem  and  the  guidance  will  be  presented. 

Cyber-security  in  Medical  Devices;  -  Industry  Perspective 
Evan  Gaddis,  President  and  CEO,  NEMA 
Jess  Edwards  of  Eastman  Kodak 

In  an  effort  to  deliver  the  highest  value  technology  at  the  lowest  price,  the 
medical  device  industry  has  increasingly  built  their  solutions  with  commercial  off- 
the-shelf  software.  At  the  same  time,  the  healthcare  industry  has  realized 
significant  cost  savings  by  improving  workflow  and  providing  caregiver  access  to 
just-in-time  information  near  the  point  of  care.  Information  Technology  and 
engineering  staff  now  interconnect  many  IT-based  hospital  devices  -  putting 
large-scale  enterprise  systems  on  the  same  network  with  laboratory,  monitoring, 
diagnostic,  and  treatment  systems.  The  past  three  years  have  seen  an 
unprecedented  rise  in  malicious  computer  attacks  via  network.  Although  these 
have  not  generally  targeted  healthcare,  hospital  systems  have  experienced  the 
downside  of  being  collateral  victims  in  cybersecurity  attacks.  Because  of  their 
position  as  high-value  targets  for  terror-inspired  attacks,  military  healthcare 
organizations  are  tightening  security  and  restricting  vendor  access  for  local  and 
remote  servicing.  This  has  created  some  tensions  as  manufacturers  work  to 
assure  continuity  of  equipment  operation  while  working  out  how  to  meet  these 
sometimes  locally  interpreted  requirements  (e.g.,  security  access,  background 
investigations,  etc.).  This  presentation  provides  a  broad  view  of  what  the  medical 
device  industry  is  doing  collaboratively  with  healthcare  providers  to  mitigate  and 
manage  these  risks.  It  identifies  the  most  active  groups  working  on  the  issues 
around  security  and  privacy  in  medical  devices  and  details  some  of  the  sticking 
points  when  the  “rules  of  engagement"  change  unilaterally  -  as  when  the 
DoDA/A  issue  new  security  requirements  for  hospital  access  and  device  features. 
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Cyber-security  and  Medical  Devices;  -  Changing  the  Manufacturer  Organization 

Nick  Mankovich,  PhD,  Philips  Medical  Systems 

This  presentation  goes  beyond  broad  industry  efforts  to  show  what  a  typicai 
NEMA-member  company  is  doing  to  ensure  the  confidentiaiity,  integrity,  and 
avaiiabiiity  of  these  mission-criticai  and  iife-criticai  devices,  inciuding 
improvements  in  product  creation,  organizationai  changes,  and  enhanced 
customer  technicai  security  communication.  The  medicai  device  manufacturers 
are  changing  to  provide  for  security  risk  management  throughout  the  product  iife 
cycie,  inciuding  new  security  requirements,  vuinerabiiity  monitoring,  incident 
response,  and  high-speed  security  patch  vaiidation  -  ait  under  the  strict 
framework  provided  by  government  reguiations.  in  short,  i  present  what  medicai 
device  manufacturers  are  doing,  discuss  some  of  the  constraints,  and  ask  the 
conference  attendees,  “What  can  we  do  better  white  maintaining  safe,  effective, 
and  cost-efficient  heaithcare?" 

Medical  Device  Security;  -  US  Air  Force  Perspective 

Sean  Murphy,  Major,  US  Air  Force  Medical  Logistics  Office 

Medicai  Device  Security  from  an  AF  Perspective  Where  “One  Air  Force,  One 
Network”  meets  “Any  image.  Any  Where,  Any  Time”  is  the  focus  of  this  brief  The 
various  security  requirements  put  in  piece  to  protect  the  warfighter’s  network 
have  tremendous  impact  on  devetoping  an  interconnected  medicai  community  of 
interest.  Other  DoD  Services  and  government  agencies  (e.g.  VA)  have 
addressed  security  in  seemingiy  individuai  ways,  it  is  difficuit  to  convince  medicai 
device  manufacturers  and  vendors  the  “ruies”  have  their  origin  in  the  same 
reguiations.  The  diversity  in  interpretation  and  enforcement  varies  greatiy  and  is 
confusing.  Opportunities  begin  in  dispeiiing  the  myths  around  Air  Force’s 
interpretation  and  enforcement  of  DiTSCAP,  NAC,  and  iA  reguiations  (as 
opposed  to  others  in  DoD)..  Further,  expioring  the  Air  Force  Medicai  Service’s 
vision  for  a  digitai  imaging  grid  is  key  to  a  common  understanding  of  the  way 
forward.  From  the  vendor  perspective,  an  understanding  of  the  Air  Force  medicai 
device  security  perspective  wiii  foster  a  tangibie  competitive  advantage  (within 
DoD  and  private  sector).  Aiong  with  DoD  MTF’s,  civiiian  hospitais/heaith  systems 
are  increasingiy  security-focused  as  SOX,  FiiPAA,  and  numerous  state  and 
federai  privacy/security  requirements  carry  financiai  ramifications  to  their  bottom 
iines. 

DoD  Information  Assurance  Policy  in  Support  of  Bio-Medical  Networks  and 

System  Security;  -  The  Network-Centric  vision.  -  From  the  medical  domain, 

looking  for  feedback  for  improvement  as  a  result  of  this  conference. 

Glenda  Turner,  Office  of  the  Assistant  Secretary  of  Defense  (Networks  and 
Information  Integration) 

The  Department’s  Network-Centric  vision  is  one  of  an  agiie,  robust,  interoperabie 
and  coiiaborative  environment,  where  warfighters,  business,  and  inteiiigence 
users  aii  share  knowiedge  in  a  secure,  dependabie  and  giobai  network  that 
enabies  informed  decision-making,  effective  operations,  and  network-centric 
transformation.  As  we  transition  from  a  system-centric  to  a  network-centric 
environment,  it  is  essentiai  that  appropriate  information  Assurance  (iA)  measures 
be  incorporated  to  insure  that  DoD  systems,  networks  and  information  are 
protected.  The  Department  has  a  resiiient  iA  poiicy  framework  that  provides 
overarching  iA  guidance  for  protecting  information,  systems,  and  networks.  This 
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presentation  will  highlight  key  lA  policy  and  guidance,  and  solicit  feedback  from 
the  conference  attendees  regarding  possible  problems,  misapplication  or 
misinterpretation  of  policy,  and  recommendations  for  improvement,  focusing  on 
the  medical  domain. 

2006  Information  Assurance  (lA)  Workshop  -  Dynamic  lA  for  the  Global 
Information  Grid  (GIG):  Securing  the  Warfighter  Today  and  Tomorrow 

Jennifer  Ellett,  TRICARE  Management  Activity  (TMA),  Office  of  the  Assistant 
Secretary  of  Defense 

Discussion  of  the  2006  lA  workshop  -  Dynamic  lA  for  the  GIG:  Securing  the 
Warfighter  Today  and  Tomorrow  -  All  about  Execution.  Discussion  of  the  JMIS 
works  to  adapt  to  the  changing  lA  requirements  for  operating  on  the  DoD  network. 

Building  Protected  Networks  for  Clinical  Systems;  -  Military  Health  System 
Perspective,  Lessons  Learned  and  Focus  for  the  Future 

Phillip  LaJoie,  Tri-Service  Infrastructure  Management  Program  Office  (TIMPO), 
Military  Health  System  (MHS) 

Discussion  of  building  protected  networks  for  clinical  systems  on  government 
networks  from  an  MHS  perspective.  Lessons  learned  and  focus  for  the  future. 

Army  Security  Architecture  for  Medical  (ARSAM) 

Steven  Foote,  Senior  Engineer,  Program  Executive  Office,  Enterprise  Information 
Systems  Technology  Applications  Office 

The  Army  Security  Architecture  for  Medical  (ARSAM)  provides  a  framework  to 
use  to  implement  a  Defense-in-Depth  network  security  architecture  by 
incorporating  information  assurance  and  security  as  an  integral  component 
through  the  use  of  private  IP  addressing,  protected/isolated  Virtual  Local  Area 
Networks  (VLANs),  Access  Control  Lists  (ACLs),  intrusion  detection,  firewalls, 
and  internal  device  security.  It  is  envisioned  that  a  “Deny  All,  Permit  by 
Exception"  security  policy  will  be  applied  to  the  ARSAM  and  the  Medical 
Treatment  Facility  enterprise  data  network,  and  that  only  traffic  required  to 
maintain  and  improve  current  patient  care  capabilities  will  be  permitted  to  access 
to  the  protected  medical  device  VLAN.  This  strategic  approach  and  the  network 
configuration  measures  associated  with  its  implementation  will  serve  to  mitigate 
the  risk  of  networking  medical  devices/systems,  and  buy  time  for  medical  device 
manufacturers  to  test  and  validate  required  vulnerability  patches  and  as  a  best 
business  practice. 

Proxy  Servers  and  Secure  Communications  for  Clinical  Workflows 

Matt  Ketko,  Agfa  Healthcare  Security  Engineer 

This  discussion  will  focus  on  the  use  of  proxy  servers  for  communications  of 
various  standard  protocols  typically  in  use  (DICOM,  HL7  and  HTTP/S).  In  an 
environment  that  is  seeing  ever  increasing  sharing  of  patient  data,  radiologist 
resources,  and  archiving  capabilities,  a  tremendous  effort  must  be  made  to 
ensure  these  external  connections  are  secure.  Sites  vary  in  their  equipment  as 
well  as  vendor  architecture.  To  presume  that  a  site's  I  M/IT  department  will  allow 
all  the  external  connections  that  are  required  can  mean  upwards  of  20  or  more 
connections  through  the  firewall.  Every  opening  represents  a  risk  and  so  the 
fewer  the  better.  Proxying  these  types  of  connections  may  help  to  tighten 
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perimeter  security  by  dosing  as  many  openings  as  possibie  and  stiii  aiiowing  the 
site  to  fuiiy  integrate  with  externai  sites. 

Veterans  Administration  (VA)  Medical  Network  Isolation  Architecture 

Steven  Wexler,  Veterans  Administration 

VA  Isoiation  Architecture  Increasingiy,  medicai  devices  are  designed  using 
commerciai  operating  systems  and  other  software  providing  better  function 
through  user  famiiiar  screens  and  with  the  added  capabiiity  to  be  networked  to 
faciiity  information  technoiogy  networks.  There  are  many  benefits  when  medicai 
devices  are  networked  inciuding  ready  avaiiabiiity  of  data  and  images  from 
diagnostic  exams  to  ciinicai  staff  neariy  as  soon  as  they  are  reteased  thereby 
providing  for  more  effective  care.  But  the  increasing  use  of  networked  technoiogy 
aiso  exposes  criticai  hospitai  equipment  to  risk  from  attack  by  a  software  worm, 
virus,  or  other  software  security  breach.  Because  medicai  devices  are  designed 
for  a  specific,  speciai  purpose  with  particuiar  design  considerations  and 
constraints,  we  cannot  presentiy  take  the  same  approach  to  protecting  medicai 
devices  from  software  vuinerabiiities  that  are  used  with  other,  more  generai 
purpose  IT  devices.  Examples  include  routine  patching  of  commercial  operating 
systems  in  medical  devices  or  application  of  anti-virus  software  to  medical 
devices.  Such  actions  can  potentially  change  the  operating  function  of  the 
medical  device  with  the  possibility  for  negative  impact  on  patient  safety  and, 
therefore,  cannot  be  undertaken  by  the  end  user  without  the  expressed  support 
and  consent  of  the  original  equipment  manufacturer.  The  isolation  architecture 
described  in  the  Department  of  Veterans  Affairs  Medical  Device  Isolation 
Architecture  Guide,  aka  the  Virtual  LAN  or  VLAN,  addresses  risks  associated 
with  medical  devices  connected  to  facility  information  networks  without  impacting 
the  operational  characteristics  of  the  devices. 

Security  Architecture  for  Radiology  Picture  Archive  and  Communications  System 

(PACS)  in  the  Great  Plains  Regional  Medical  Command  (GPRMC) 

Gary  Crouch,  Director  of  Telehealth,  GPRMC 

This  session  will  describe  the  overall  security  architecture  for  radiology  Picture 
Archiving  and  Communications  Systems  (PACS)  in  the  Great  Plains  Regional 
Medical  Command.  Explore  practical  procedures  and  methods  used  protect 
PACS  and  the  associated  medical  devices  to  ensure  continuity  of  operation. 

Overview  of  Global  Interconnectivity  of  the  Healthcare  Community,  the  Internet, 

and  DoD 

LeRoy  Luginbill,  Strategic  Command,  Joint  Task  Force  -  Global  Network 
Operations 

The  Department’s  Network-Centric  vision  is  one  of  an  agile,  robust,  interoperable 
and  collaborative  environment,  where  warfighter,  business,  and  intelligence 
users  all  share  knowledge  in  a  secure,  dependable  and  global  network  that 
enables  informed  decision-making,  effective  operations,  and  network-centric 
transformation.  As  we  transition  from  a  system-centric  to  a  network-centric 
environment,  it  is  essential  that  appropriate  Information  Assurance  (lA)  measures 
be  incorporated  to  insure  that  DoD  systems,  networks  and  information  are 
protected.  The  Department  has  a  resilient  lA  policy  framework  that  provides 
overarching  lA  guidance  for  protecting  information,  systems,  and  networks.  This 
presentation  will  highlight  key  lA  policy  and  guidance,  and  solicit  feedback  from 


69 


the  conference  attendees  regarding  possible  problems,  misapplication  or 
misinterpretation  of  policy,  and  recommendations  for  improvement,  focusing  on 
the  medical  domain 
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Open  Source  Software  for  Multi-center  Image  Management: 

ImTKT’'®  Consortium 


Seong  K.  Mun,  Member,  IEEE,  Mary  Eou  Ingeholm,  Walid  Tohme 
and  Kevin  Cleary,  Member,  IEEE 


Abstract —  Development  of  software  through  an  open  source  approach  has  gained  popularity  in  the 
information  technology  (IT)  community.  Open  source  software  coupled  with  open  architecture  is  seen  as  a 
critical  component  to  promoting  open  science.  Furthermore  US  government  agencies  are  promoting  an  open 
source  approach  as  a  means  to  transfer  research  software  technology  to  greater  commercial  applications. 
Successful  open  source  efforts  require  a  number  of  key  elements  such  as  free  licensing,  presence  of  active 
participants  and  an  engineering  discipline  that  will  generate  robust  high  quality  software  with  necessary 
documentation.  It  also  requires  an  innovative  business  model  since  the  code  itself  is  made  available  freely.  In 
healthcare  specifically,  the  role  that  FDA  plays  in  software  engineering  must  also  be  addressed.  Recently,  a 
workshop  was  organized  to  review  the  role  of  open  source  in  the  area  of  healthcare  informatics.  The  IT 
capabilities  in  healthcare  are  maturing  rapidly  for  many  types  of  patient  care  settings  yet  there  is  a  significant 
gap  in  the  ability  to  share  biomedical  data  in  multi-center  applications  and  research.  A  new  consortium  is  being 
launched  to  promote  the  development  of  software  tools  for  information  and  image  exchanges  in  the  multi-center 
environment  using  an  open  source/open  architecture  approach. 

Introduction 

Tn  March  2006,  the  Multi-center  Image  Management  (MCIM)  Workshop  explored  open 
'^■souree  strategies  in  support  of  flexible  aeeess  to  biomedieal  data  for  the  researeh 
community.  The  group  recognized  the  technology  gaps  between  commereial  information 
systems  that  focus  on  efficient  clinieal  operations  within  a  single  institution  and  the 
researeh  environment  which  requires  flexible  aeeess  to  multimedia  data  generated  by 
different  vendor  products  and  residing  in  multiple  distributed  repositories.  It  was  further 
noted  that  these  gaps  are  not  likely  be  addressed  by  the  eommereial  community  any  time 
soon  as  the  market  for  such  capability  in  the  eurrent  biomedical  environment  is  very 
limited.  The  workshop  participants  concurred  that  open  source,  open  standards,  and  open 
arehitecture  can  be  efficient  methods  of  supporting  open  science  and  improved 
interoperability.  Examples  of  robust  open  source  projects  and  software  methodologies 
were  presented  and  there  was  broad  agreement  that  adequate  rigor  must  be  incorporated 
into  an  open  souree  proeess  in  order  to  meet  the  highest  standards  of  software  quality. 
Several  examples  of  successful  business  models  for  maintaining  the  development  effort 
were  described  and  the  importance  of  long  term  sustainability  beyond  initial  government 
funding  was  discussed.  An  open  souree  approach  was  also  introduced  as  a  new  model  for 
collaboration  between  academia,  industry  and  government.  The  workshop  concluded  that 
an  open  source  effort  by  the  researeh  community  to  develop  robust,  freely  available  tools 
that  meet  the  information  management  needs  of  basic,  clinical  and  translational  research 
is  essential  to  mend  the  gap  between  the  researeh  and  clinical  communities  [1]. 

Problems  to  be  addressed 

The  information  requirements  for  a  biomedieal  researeh  environment  are  markedly 
different  from  the  elinieal  environment.  Commercial  medical  information  and  imaging 
systems  are  designed  to  support  efficient  elinieal  operations  within  a  single  organization 
whereas  researehers  need  to  be  able  to  integrate  researeh  data  with  clinical  data  often 
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residing  in  multiple  distributed  information  repositories.  The  information  management 
eomponents  for  researeh  must  be  able  to  handle  more  eomplex  queries,  data  mining  and  a 
broad  speetrum  of  data  types  beyond  routine  elinieal  data  [1],  This  gap  between  elinieal 
and  researeh  requirements  prevents  the  effieient  exehange,  sharing,  management,  and 
analysis  of  multimedia  medieal  information  sueh  as  elinieal  information,  images,  and 
bioinformaties  data  as  well  as  proteomies  data  sets,  signifieantly  impaeting  the  eapability 
to  translate  researeh  into  elinieal  outeomes.  Thus,  while  hospitals  and  researeh 
eommunities  are  eolleeting  unpreeedented  amounts  of  elinieal  data  and  researeh  data,  the 
ability  to  data  mine  these  rieh  eolleetions  to  support  researeh  is  limited  within  an 
institution  and  is  essentially  nonexistent  aeross  institutions.  Bioinformaties  and 
proteomies  data  have  beeome  inereasingly  important  in  elinieal  researeh  but  there  are  not 
effieient  ways  to  ineorporate  these  data  with  elinieal  information.  Multi-e enter  elinieal 
trials  are  eommon  aetivities  yet  many  of  the  trials  are  still  managed  manually  and  eannot 
optimize  the  value  that  a  multi-eenter  model  represents.  Eaeh  of  these  issues  is  a  direet 
result  of  the  inability  to  exehange  multimedia  elinieal  data  and  researeh  information 
aeross  different  organizations  and  funetional  environments  and  impedes  the  ultimate  goal 
of  improving  patient  outeomes. 

The  eurrent  situation  ealls  for  innovative  solutions  that  engage  a  broad  eommunity  of 
users.  Using  an  open  souree  and  open  arehiteeture  framework  would  allow  rapid 
implementation  of  sealable  and  robust  software  development  in  a  eost  effeetive  manner 
by  a  eommunity  of  users  from  aeademia,  industry  and  government. 

An  Open  solution:  open  source  software  development 

Adopting  an  approaeh  that  ineludes  open  souree  software  and  an  open  arehiteeture  is 
essential  to  a  solution  that  ean  bridge  the  information  management  gap  between 
funetional  environments  within  an  institution  and  aeross  multiple  institutions.  An  open 
souree  framework  supports  rapid  software  development  while  open  arehiteeture 
eneourages  interoperability  aeross  different  environments.  An  open  methodology  for  this 
effort  will  eneourage  development  and  implementation  of  software  applieations  that  ean 
expedite  translational  researeh  in  a  multi-eenter  setting. 

Open  souree  software  development  has  beeome  a  eultural  as  well  as  an  eeonomie 
phenomenon  within  the  information  teehnology  (IT)  eommunity.  It  effieiently  harnesses 
global  skills  and  resourees,  resulting  in  aeeelerated  researeh  and  development.  Open 
souree  initiatives  eneourage  high  level  teehnical  eommunieation,  provide  eonventions  for 
interoperable  software  development,  establish  a  baseline  for  improvement,  open  the  field 
to  “beginners”,  and  ereate  eommon  ground  for  produet  development  [2].  There  is  also  a 
growing  body  of  evidenee  that  open  souree  software  produees  more  robust  eode  with 
fewer  bugs.  From  a  government  perspeetive,  the  demand  for  open  aeeess  for  taxpayer- 
funded  projeets  and  the  need  for  quality  and  performanee  in  mission  eritieal  applieations 
is  leading  to  an  inereased  demand  for  open  souree  solutions  [3].  Within  the  National 
Institutes  of  Health  (NIH)  speeifieally,  the  requirements  for  aeeelerating  diseovery 
inelude  promoting  team  seienee,  lowering  barriers  and  entry  eosts,  enabling  (enforeing) 
repeatable  results  and  eliminating  oversight  through  transpareney.  An  open  souree 
software  taetie  reduees  redundaney  of  researeh,  enforees  good  researeh  praetiees,  and 
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enables  sharing  of  ideas  [2],  Overall,  the  open  souree  software  eoneept  has  the  greatest 
potential  for  sueeess  in  developing  tools  that  can  bridge  the  clinical  information 
management  gap  between  the  research  and  clinical  communities. 

An  Open  solution  in  Biomedical  Applications 

There  has  been  remarkable  penetration  of  open  source  software  in  medical  imaging 
research  software.  The  Visualization  Toolkit  (VTK)  [4]  and  the  Insight  Toolkit  (ITK)  [5], 
supported  by  the  National  Library  of  Medicine  (NLM)  of  the  NIH  represent  two  large, 
mature,  and  globally  utilized  open  source  toolkits  that  provide  state-of-the-art  imaging 
architectures  and  algorithms  to  application  developers.  VTK  provides  a  wide  range  of 
advanced  multi-dimensional  visualization  algorithms  including  volumetric  reformat, 
volume  rendering,  and  geometric  surface  rendering  algorithms.  ITK  provides  advanced 
image  processing  algorithms,  with  a  particular  emphasis  on  medical  image  segmentation 
and  image  registration  algorithms.  VTK  and  ITK  were  developed  with  a  strong  emphasis 
on  advanced  computing  technologies  and  software  quality.  The  C++  software 
architecture  of  these  toolkits  has  evolved  over  the  years  to  support  a  wide  range  of 
advanced  algorithms  and  computing  technologies  including  parallel  computing.  In 
addition,  several  computational  tools  and  utilities  have  been  developed  that  facilitate  the 
global  development  of  a  high  quality  toolkit  including  a  cross-platform  build  tool  called 
CMake  and  a  software  quality  dashboard  called  DART.  These  open  source  imaging 
toolkits,  and  their  supporting  tools  and  utilities,  represent  a  large  and  growing  resource 
for  future  open  source  technology  solutions  [6]. 

The  Image-Guided  Surgery  Toolkit  (IGSTK)  [7],  another  project  supported  by  National 
Institute  of  Biomedical  Imaging  and  Bioengineering  at  the  NIH,  is  an  open  source,  cross 
platform,  software  toolkit.  IGSTK  integrates  the  basic  components  needed  in  surgical 
guidance  applications  and  provides  a  common  platform  for  fast  prototyping  and 
development  of  robust  image-guided  applications  [8]. 

In  recent  years,  open  source  software  has  gained  visibility  in  the  healthcare  community. 
Several  lead  projects  include  OpenVistA,  a  patient  information  system  based  on  the 
Veteran  Administration’s  system,  Care2X,  an  integrated  practice  management  solution  in 
Europe  and  Health  Infoway,  a  patient  data-exchange  venture  in  Canada  [9]. 

Requirements  for  a  Successful  Open  Source  Software  framework 

While  a  successful  open  source  software  effort  can  produce  rapid,  innovative  and  cost- 
effective  software  development,  making  it  successful  requires  not  only  an  understanding 
of  the  technical  and  business  requirements  of  an  open  source  software  framework  but  the 
cultivation  of  a  community  of  users  who  can  contribute  and  benefit  from  the  endeavor. 

Open  architecture  requirements 

An  open  source  software  approach  must  be  coupled  with  an  open  architecture  to  be 
sustainable  in  the  long  run.  “Open"  refers  to  the  process  used  to  develop  standards  that 
achieve  interoperability  where  "architecture"  defines  the  components,  their  organizations 
and  interactions,  and  the  design  philosophy  used  [10].  Standardization  is  critical  for 
creating  interoperable,  portable,  and  reusable  components  and  systems;  it  also  contributes 
to  the  development  of  secure,  robust,  and  scalable  systems.  Grid  technologies  have 
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emerged  as  a  eomponent  of  the  national  eyber  infrastrueture  supporting  effeetive 
healtheare  information.  The  underlying  open  grid  serviees  arehiteeture  (OGSA) 
represents  a  growing  trend  in  systems  arehiteeture.  The  key  to  the  realization  of  this  Grid 
vision  is  standardization,  so  that  the  diverse  eomponents  that  make  up  a  modem 
eomputing  environment  ean  be  diseovered,  aeeessed,  alloeated,  monitored,  aeeounted  for, 
billed  for,  ete. . .,  and  in  general  managed  as  a  single  virtual  system — even  when  provided 
by  different  vendors  and/or  operated  by  different  organizations  [11]. 

Grid  applieations  in  biomedieal  environments  enable  the  ereation  and  operation  of 
distributed  eommunities  aeross  organizational  boundaries.  Enhaneed  eollaboration 
environments,  visualization  tools,  eomputational  resourees  and  storage  eapabilities  are  all 
grid  serviees  upon  whieh  Virtual  Organizations  ean  build  information  infrastmeture.  This 
emerging  IT  infrastmeture  enables  the  ereation,  administration  and  management  of  image 
based  biomedieal  information.  [12] 

Technical  Requirements  for  an  Open  Source  Software  framework 

Open-souree  evangelist  Erie  S.  Raymond  suggests  a  model  for  developing  open  souree 
software  known  as  the  Bazaar  model.  He  advoeates  that  all  software  should  be  developed 
using  the  bazaar  style,  deseribed  as  "a  great  babbling  bazaar  of  differing  agendas  and 
approaehes"  [13].  In  order  to  make  this  model  effeetive,  Gregorio  Robles  suggests  the 
following  prineiples  [14]:  (1)  Users  should  be  given  aeeess  to  the  souree  eode  of  the 
software  and  be  eneouraged  to  submit  additions,  eode  fixes,  bug  reports,  doeumentation 
ete....  Having  more  eo-developers  inereases  the  rate  at  whieh  the  software  evolves.  (2) 
The  first  version  of  the  software  should  be  released  as  early  as  possible  so  as  to  inerease 
one's  ehanees  of  finding  eo-developers  early.  (3)  New  eode  should  be  integrated  as  often 
as  possible  so  as  to  avoid  the  overhead  of  fixing  a  large  number  of  bugs  at  the  end  of  the 
projeet  life  eyele.  (4)  There  should  be  at  least  two  versions  of  the  software  -  a 
development  version  with  more  features  and  a  more  stable  version  with  fewer  features. 
The  development  version  is  for  users  who  want  the  immediate  use  of  the  latest  features, 
and  are  willing  to  aeeept  the  risk  of  using  eode  that  is  not  yet  thoroughly  tested.  The  users 
ean  then  aet  as  eo-developers.  The  stable  version  offers  the  users  fewer  bugs  but  fewer 
features.  (5)  The  general  stmeture  of  the  software  should  be  modular  allowing  for  parallel 
development.  (6)  There  is  a  need  for  a  deeision  making  stmeture,  whether  formal  or 
informal,  that  makes  strategie  deeisions  depending  on  ehanging  user  requirements  and 
other  faetors. 

Distribution  Scheme  for  a  Successful  Open  Source  Software  framework 

As  with  proprietary  software,  open  souree  software  is  distributed  under  a  lieense.  To 
help  establish  some  degree  of  uniformity,  the  Open  Souree  Initiative  (OSI)  ereated  the 
Open  Souree  Definition  whieh  is  a  speeifieation  of  what  must  and  must  not  appear  in  a 
lieense  in  order  for  the  software  to  be  eonsidered  open  souree.  To  meet  the  open  souree 
definition,  a  lieense  must  provide  the  following  features  [15]:  (1)  The  lieense  shall  not 
restriet  any  party  from  selling  or  giving  away  the  software  as  a  eomponent  of  an 
aggregate  software  distribution  eontaining  programs  from  several  different  sourees.  (2) 
The  program  must  inelude  souree  eode,  and  must  allow  distribution  in  souree  eode  as 
well  as  eompiled  form.  (3)  The  lieense  must  allow  modifieations  and  derived  works,  and 
must  allow  them  to  be  distributed  under  the  same  terms  as  the  lieense  of  the  original 
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software.  (4)  The  license  must  not  discriminate  against  any  person  or  group  of  persons. 
(5)  The  license  must  not  restrict  anyone  from  making  use  of  the  program  in  a  specific 
field  of  endeavor.  For  example,  it  may  not  restrict  the  program  from  being  used  in  a 
business,  or  from  being  used  for  genetic  research. 

Sustainability  and  Business  Models 

Although  an  open  source  software  framework  is  cost  effective,  it  is  not  free.  There  are 
costs  associated  with  the  process.  To  maintain  and  grow  the  effort  requires  a 
sustainability  plan  that  goes  beyond  the  initial  funding  period.  Money  will  not  come  in 
through  traditional  licensing  fees,  thus  other  business  models  need  to  be  considered.  As 
open  source  software  development  has  matured,  a  number  of  business  models  for 
sustainability  have  emerged. 

In  the  service/maintenance  model  companies  sell  support  and  services  around  the  open 
source  software,  for  example.  Red  Hat  (Linux)  or  Medsphere  (OpenVista).  In  this 
approach,  users  pay  for  support  of  the  software  although  they  may  choose  to  support  the 
software  themselves.  In  another  approach,  the  vendor  provides  an  open  source  code  base 
with  proprietary  add-ons.  Examples  of  this  model  include  Sourcefire  (security)  and 
SugarCRM  (customer  relationship  mgt).  In  a  dual  license  approach,  a  company  offers 
free  use  of  its  software  with  some  limitations,  or  alternatively  offers  commercial 
distribution  rights  and  a  larger  set  of  features  for  a  fee.  Both  the  MySQL  and  Sleepycat 
databases  are  examples  of  a  dual  license  model.  In  the  Aggregation  Model  also  known  as 
the  “Lego”  strategy,  companies  act  as  middlemen  to  assemble  various  open  source 
packages  into  easy-to-use  integrated  units.  SourceLabs  and  SpikeSource  have  adopted 
this  model  [9]. 


New  Business  Models  for  Academia,  Industry  and  Government 

The  NLM  has  been  one  of  the  champions  of  open  source  software  development.  As  the 
imaging  data  from  the  Visible  Human  Project  were  released  for  public  use,  the  NLM  set 
out  to  “create  a  dynamic,  self-sustaining,  public  domain  and  extensible  toolkit  that  will 
empower  researchers  throughout  the  world  to  develop  new  segmentation  and  registration 
algorithms  and  create  new  applications  that  leverage  the  NLM’s  investment  in  the  Visible 
Human  Male  and  Lemale  data  sets”  [16].  The  project  produced  the  Insight  Tool  Kit  after 
four  years  and  seven  million  dollars  of  government  funding.  This  experience  made  it 
clear  to  the  government  that  while  open  source  developed  by  government  grants  may 
promote  open  science  and  empower  researchers,  it  is  not  free.  There  are  costs  associated 
with  the  effort  such  as  distribution  of  the  software,  quality  control  of  the  software,  and 
user  support.  In  order  to  cross  the  “valley  of  death”  between  research  and  successful 
technology  transfer,  it  is  imperative  that  an  open  source  effort  can  be  converted  to  a 
financially  sustaining  activity. 

An  open  source  software  approach  offers  a  unique  way  for  academia,  industry,  and 
government  to  work  in  partnership  to  facilitate  rapid  dissemination  of  knowledge  into  the 
commercial  sector  for  wider  applications.  Software  developed  by  the  academic  research 
community,  under  government  sponsorship  can  be  offered  to  the  open  source  community 
for  further  testing  and  development  and  eventual  adoption  by  the  commercial  industry. 
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The  US  Army  Medical  Research  and  Materiel  Command  (USAMRMC),  Telemedicine 
and  Advanced  Research  Center  (TATRC)  is  responsible  for  life  cycle  management  of 
over  500  medical  research  and  development  programs,  with  a  2005  budget  of 
approximately  $300  million.  The  Center’s  research  h  responsibilities  extend  to 
execution  of  academic,  government  and  industry  programs  in  biomedical  research. 
TATRC  is  currently  developing  a  program  to  improve  the  productivity  in  technology 
transfer  from  research  community  to  the  commercial  sector.  This  program  uses  Triple 
Helix  strategies  involving  academia,  industry  and  government  to  accelerate  technology 
implementation.  The  open  source  approach  is  seen  as  a  potentially  effective  means  of 
making  research  results  available  for  greater  dissemination  through  timely 
commercialization  [17]. 


Establishment  of  a  consortium:  ImIK^m 

A  new  consortium  has  been  formed  to  launch  an  open  source/open  architecture  effort 
that  narrows  the  gap  between  clinical  and  research  needs  by  focusing  on  the  development 
of  software  tools  that  enable  the  efficient  exchange,  sharing,  management,  and  analysis  of 
multimedia  medical  information.  Imaging  and  informatics  experts  at  Georgetown 
University,  Washington  University  in  St.  Louis,  the  Northwestern  University  Feinberg 
School  of  Medicine  and  University  of  Geneva,  Switzerland  have  agreed  to  form  the 
Image  Management  Toolkit  (ImTK)  Consortium.  Collectively  this  consortium  represents 
demonstrated  expertise  in  technology,  clinical  operations,  technology  development,  and 
technology  management  within  the  academic,  government  and  industrial  environment. 

The  mission  of  the  ImTK™  Consortium  is  to  expedite  translational  biomedical  research 
through  the  development  of  software  tools  that  enable  efficient  exchanging,  sharing, 
management,  and  analysis  of  multimedia  medical  information  such  as  clinical 
information,  images,  and  bioinformatics  data.  The  ImTK™  Consortium,  together  with 
partners  in  academia,  industry  and  government,  will  organize  itself  around  four  cores:  1) 
software  tool  development,  2)  open  architecture  and  data  model  implementation,  3) 
knowledge  dissemination,  and  4)  management  and  sustainability.  A  well  managed  open 
source  development  process  has  been  proven  to  produce  high  quality  products  in  a  cost 
efficient  manner  while  simultaneously  developing  a  collaborative  user/developer 
community.  The  ImTKTM  technology  initiative  will  not  only  provide  open  source 
software  tools  and  components  but  also  an  open  architecture  in  which  they  may  be 
configured  and  deployed.  The  tools  will  comply  with  existing  standards  such  as  Digital 
Imaging  and  Communications  in  Medicine  (DICOM)  and  Health  Level  Seven  (HL7)  and 
build  on  the  technical  frameworks  and  workflow  defined  by  the  Integrating  the 
Healthcare  Enterprise  (IHE)  initiative.  The  open  architecture  will  draw  on  the  best 
practices  of  the  grid  computing  community  and  service  oriented  architecture.  This  new 
effort  will  build  on  the  expertise,  processes  and  development  tools  used  to  create  ITK  and 
VTK.  It  will  also  bring  insight  and  definition  to  the  role  the  EDA  will  play  in  regulating 
open  source  efforts  in  the  healthcare  arena  [17].  These  processes  will  ensure  the 
robustness  of  the  software  and  extend  the  family  of  toolkits  from  image  analysis  and 
visualization  to  multimedia  information  management,  information  fusion  and  data  mining. 

The  consortium  will  start  by  developing  a  collaborative  environment  for  a  community 
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of  developers  and  users  to  work  together  to  define  use  eases  and  applieation  seenarios, 
design  and  develop  new  tools  and  components,  and  maintain  a  test  bed  on  which 
components  may  be  validated  and  training  programs  developed  and  conducted.  It  will 
draw  on  existing  successful  programs  and  activities  for  best  practices  and  insights.  The 
goal  is  to  establish  a  dynamic,  self-sustaining,  public  domain  and  extensible  toolkit  that 
empowers  scientists,  engineers  and  physicians  throughout  the  world  to  improve  the 
outcome  of  biomedical  research  and  leverage  the  government’s  investment  in  open 
source  initiatives.  The  consortium  will  support  the  development  of  robust  software  for 
research  applications  and  commercial  products  through  conferences,  training  sessions, 
and  tutorials. 
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